ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shorts Maker

v1.0.0

convert long-form video into vertical short clips with this shorts-maker skill. Works with MP4, MOV, AVI, WebM files up to 500MB. TikTok creators use it for...

0· 60·0 current·0 all-time
by@mhogan2013-9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (convert long videos to short vertical clips) aligns with the HTTP endpoints, upload/render/export workflow, and required single API token (NEMO_TOKEN). Nothing in the instructions claims unrelated capabilities (e.g., system administration).
!
Instruction Scope
Instructions direct the agent to upload user video files and user-supplied messages to an external API (mega-api-prod.nemovideo.ai) and to stream SSE responses back; that is expected for this purpose but has privacy implications. The skill also instructs obtaining an anonymous token automatically if NEMO_TOKEN is absent, which means the agent will contact the service on its own without further user confirmation.
Install Mechanism
No install script or code is present (instruction-only), so nothing is written to disk at install-time. This is lower risk from an install-origin perspective.
!
Credentials
The skill declares only one required env var (NEMO_TOKEN), which is reasonable. However, the SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) that was not listed in the registry metadata — this mismatch is unexplained and implies possible local config access that wasn't declared elsewhere.
Persistence & Privilege
always is false and the skill is not requesting elevated or persistent platform privileges. Autonomous model invocation is allowed (default) but is not combined with other high-risk attributes here.
What to consider before installing
This skill appears to implement what it claims (uploading videos to a cloud render API and returning processed MP4s) but you should be cautious before enabling it. Key things to consider: (1) It will send your raw video files to https://mega-api-prod.nemovideo.ai — do not upload sensitive or private footage unless you trust that service and have reviewed its privacy/retention policy. (2) The SKILL.md frontmatter mentions a local config path (~/.config/nemovideo/) even though the registry metadata did not — ask the publisher whether the agent will read local config files and why. (3) The agent will auto-acquire an anonymous token if no NEMO_TOKEN is provided, meaning it will make network calls without further confirmation. (4) There is no publisher, homepage, or source listed — prefer skills with an identifiable owner and privacy terms. If you still want to use it, require explicit consent before uploading files, avoid placing long-lived credentials in your environment, and ask the publisher for a canonical documentation/privacy link.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fppxw7sy3ywjkh462gctx7184knq9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments