ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Japanese Video Editing With

v1.0.0

edit raw video footage into edited Japanese videos with this japanese-video-editing-with skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content cre...

0· 39·0 current·0 all-time
by@mhogan2013-9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to integrate with a NemoVideo backend and requires a NEMO_TOKEN — that aligns with a cloud video-editing service. However the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata lists no required config paths; this mismatch is inconsistent and should be clarified.
Instruction Scope
Runtime instructions direct the agent to automatically connect to an external backend on first use, generate an anonymous token via POST to https://mega-api-prod.nemovideo.ai, and store session identifiers for subsequent API calls. Automatic network calls and hidden token handling ('Don't display raw API responses or token values to the user') expand the skill's runtime scope beyond just waiting for an explicit upload command and could be surprising to users.
Install Mechanism
This is an instruction-only skill with no install spec and no files to write or binaries to install, which is the lowest-risk install model.
Credentials
Only one credential (NEMO_TOKEN) is required, which is reasonable for this external API. However the frontmatter also references a config path (~/.config/nemovideo/) and the skill will probe install paths to set an X-Skill-Platform header; both behaviors access filesystem state beyond just using the token and should be justified or documented. The skill's ability to auto-provision an anonymous token means it can operate without a user-supplied secret, which is acceptable but worth noting.
Persistence & Privilege
The skill is not always-enabled and does not request special persistent privileges. It does instruct storing session_id and using tokens for API calls, which is normal for a remote service integration.
What to consider before installing
This skill appears to do what it says (talk to a NemoVideo backend to edit videos), but there are some things to check before installing: 1) It will automatically contact https://mega-api-prod.nemovideo.ai on first use and can create an anonymous token for you — if you prefer control, set NEMO_TOKEN yourself instead of letting it auto-provision. 2) The SKILL.md frontmatter references a config path (~/.config/nemovideo/) and instructs probing install paths to set an attribution header; confirm you’re comfortable with the skill reading those locations. 3) The instructions explicitly say not to surface raw API responses or token values to users — that’s normal for secrets, but it also means network activity and tokens are handled behind the scenes. If you don’t trust the nemo endpoint or want explicit consent before any network calls, don’t enable the skill or ask the publisher to remove automatic provisioning and clarify the config-path behavior. Additional information that would raise confidence: a publisher/homepage, clarity on whether the skill actually writes to ~/.config/nemovideo/, and confirmation of what is stored and where (in-memory only vs persisted on disk).

Like a lobster shell, security has layers — review code before you run it.

latestvk97ba8mqa8335gnj95x07fj3wn84n6gb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments