ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Creator Studio

v1.0.0

Cloud-based youtube-creator-studio tool that handles editing and optimizing videos for YouTube channel publishing. Upload MP4, MOV, AVI, WebM files (up to 50...

0· 40·0 current·0 all-time
by@mhogan2013-9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is a cloud video editing/export tool and only requests a single service credential (NEMO_TOKEN) and network calls to nemovideo.ai endpoints, which is coherent with the stated purpose. Minor inconsistency: the SKILL.md frontmatter references a config path (~/.config/nemovideo/) while the registry metadata earlier listed no required config paths.
Instruction Scope
Instructions are focused on establishing a session, uploading video files, streaming SSE responses, and starting exports to the stated API. They instruct saving session_id and using or obtaining a NEMO_TOKEN. The runtime also asks the agent to detect an install path (e.g., ~/.clawhub/ or ~/.cursor/skills/) to set an X-Skill-Platform header — this requires inspecting filesystem paths and is broader than purely sending the uploaded files, but not obviously unrelated to attribution.
Install Mechanism
Instruction-only skill with no install spec or code files, so nothing is downloaded or written by an installer — lowest risk for install mechanism.
Credentials
Only NEMO_TOKEN is declared as required, which fits the service. However the frontmatter's metadata references a config directory (~/.config/nemovideo/) and the attribution logic asks the agent to inspect common skill-install locations — these could lead the skill to read or write local config/token files. Confirm whether the skill will persist tokens and where.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges. It does instruct saving a session_id and using/storing a NEMO_TOKEN (including generating an anonymous token), which implies some persistence of credentials, but it does not modify other skills or request elevated platform-wide permissions.
Assessment
This skill appears to do what it says (cloud video editing) and only asks for a NEMO_TOKEN, but you should: 1) confirm you trust the endpoint domain (mega-api-prod.nemovideo.ai) and the unknown publisher before sending video files (avoid uploading sensitive content), 2) ask where the skill stores the generated or provided NEMO_TOKEN and session_id (environment variable vs a file under ~/.config/nemovideo/), 3) be aware it may inspect install paths (~/.clawhub, ~/.cursor/skills) to set an attribution header, 4) verify billing/credit behavior (anonymous tokens are limited) and privacy/data-retention terms, and 5) prefer a skill with a visible homepage/source or request the source code if you need higher assurance.

Like a lobster shell, security has layers — review code before you run it.

latestvk975zdm2vjswnkb32z8ngtqj6h84jwah

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments