Video Maker Iphone
v1.0.0Turn a 60-second iPhone camera recording into 1080p polished MP4 clips just by typing what you need. Whether it's editing and exporting iPhone footage into s...
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name, description, endpoints, and required NEMO_TOKEN align with a cloud video-editing backend. The single required credential (NEMO_TOKEN) and the listed API endpoints are appropriate for the stated purpose. However, the metadata lists a local config path (~/.config/nemovideo/) that the SKILL.md never actually instructs the agent to read; this mismatch is unexpected and worth clarifying.
Instruction Scope
SKILL.md confines actions to authenticating (or creating an anonymous token), creating a session, uploading user-provided media, sending edit commands, polling status, and returning download URLs. It does not instruct reading unrelated system files, shell history, or arbitrary environment variables. It does instruct auto-generating an anonymous token and storing session_id/token for subsequent requests; storage location and retention policy are not specified.
Install Mechanism
There is no install spec and no code files — this is instruction-only, which minimizes on-disk risk. All runtime behavior is via network calls to the remote API described in the SKILL.md.
Credentials
Only NEMO_TOKEN is required, which is proportionate for a third-party video API. Concerns: (1) metadata's declared configPaths (~/.config/nemovideo/) is not used in the instructions — if the implementation reads that path it could access local credentials; (2) the skill auto-creates and stores an anonymous token (valid 7 days) and session IDs — that stored credential grants access to uploaded media and render jobs, so understand where/how tokens/session IDs are persisted and how to revoke them; (3) uploading media to an external service has privacy and retention implications that the SKILL.md does not describe.
Persistence & Privilege
The skill does not request 'always: true' and does not ask to modify other agent settings. It does instruct creating/storing temporary credentials and session IDs for at least the token lifetime (7 days) and can orphan render jobs if the UI is closed. Autonomous invocation is allowed (platform default) but not a special privilege here.
Scan Findings in Context
[no_code_files_to_scan] expected: The repository contains only SKILL.md and no code files; the regex-based scanner had nothing to analyze. The SKILL.md is therefore the primary security surface.
Assessment
This skill appears to do what it says (upload your iPhone clips to a remote nemovideo.ai backend and return edited MP4s), but check a few things before installing or using it: 1) Confirm you're comfortable uploading videos to mega-api-prod.nemovideo.ai — ask the provider about data retention, sharing, and deletion policies. 2) Verify how and where the anonymous NEMO_TOKEN and session_id are stored and how you can revoke them (token lifetime is described as 7 days). 3) Ask why the skill metadata lists a local config path (~/.config/nemovideo/) — verify the skill will not read unrelated local files or credentials. 4) Avoid sending sensitive or private footage until you have privacy guarantees. 5) If you need stronger assurances, request a source/homepage or an audited implementation before trusting production data.Like a lobster shell, security has layers — review code before you run it.
latestvk978anaw49gwcc4whkv3bn8f6184q6dh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📱 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN