Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Editor Anup Sagar

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — trim silences, add transitions, and subtitle this video in the style of An...

0· 31·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (AI video editor) aligns with the network API calls and file uploads described in SKILL.md. Requiring a NEMO_TOKEN for a remote render service is reasonable. However, the SKILL.md frontmatter includes a requires.configPaths entry (~/.config/nemovideo/) while the registry metadata listed no required config paths — this mismatch is unexplained.
Instruction Scope
Runtime instructions stay largely within editing: create a session, upload files, stream SSE edits, poll render status, and return download URLs. Two items to note: (1) SKILL.md tells the agent to 'Keep the technical details out of the chat', which reduces transparency about network/auth actions; (2) it instructs reading the skill's own YAML frontmatter and detecting install path (~/.clawhub, ~/.cursor/skills/) which involves reading local paths (self and potentially install-path detection) — plausible but worth being explicit about.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is written to disk by an installer. Low install risk.
!
Credentials
The skill declares a single primary credential (NEMO_TOKEN), which fits a cloud service. But SKILL.md also describes using or populating ~/.config/nemovideo/ in its frontmatter (not declared in the registry requirements) and instructs using either an existing NEMO_TOKEN or obtaining an anonymous token via an API call. The mismatch between registry metadata (no configPaths) and SKILL.md metadata (configPaths present) is an inconsistency worth clarifying before trusting credentials/config files.
Persistence & Privilege
The skill is not always-enabled, does not request elevated platform privileges, and does not attempt to modify other skills or system-wide agent settings. It only asks to read its own frontmatter and detect an install path (read-only).
What to consider before installing
This skill appears to be a straightforward cloud video-editing integration, but take these precautions before installing: - Confirm the provider/domain (mega-api-prod.nemovideo.ai) and trustworthiness — the skill has no homepage or publisher info. - Only provide a NEMO_TOKEN with minimal privileges; if you don't trust the provider, use the anonymous token path and avoid supplying long-lived or highly privileged credentials. - The SKILL.md indicates it may read its own frontmatter and detect install paths; ask the publisher to confirm it will not read other local files or system credentials. - Be cautious about uploading sensitive videos (private content, PII) to an unknown service; verify the service's privacy/retention policy first. - Ask the author to resolve the metadata mismatch (registry says no configPaths but the SKILL.md frontmatter lists ~/.config/nemovideo/) and to clarify why the skill instructs the agent to 'keep the technical details out of the chat' (you may want full transparency of network/auth actions). I give a 'suspicious' rating (medium confidence) because the core functionality is coherent but the metadata inconsistencies and transparency directives are unexplained; resolving those would increase confidence.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN
latestvk9720tt2sa9j37384qej0sdqtn84ztba
31downloads
0stars
1versions
Updated 2d ago
v1.0.0
MIT-0

Getting Started

Ready when you are. Drop your raw video footage here or describe what you want to make.

Try saying:

  • "edit a 2-minute tutorial recording by Anup Sagar into a 1080p MP4"
  • "trim silences, add transitions, and subtitle this video in the style of Anup Sagar"
  • "editing tutorial or educational videos with AI assistance for content creators and educators"

Getting Connected

Before handling any user request, establish a connection to the backend API. Show a brief status like "Connecting...".

If NEMO_TOKEN is in the environment, use it directly and create a session. Otherwise, acquire a free starter token:

  • Generate a UUID as client identifier
  • POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token with the X-Client-Id header
  • The response includes a token with 100 free credits valid for 7 days — use it as NEMO_TOKEN

Then create a session by POSTing to https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent with Bearer authorization and body {"task_name":"project","language":"en"}. The session_id in the response is needed for all following requests.

Tell the user you're ready. Keep the technical details out of the chat.

AI Video Editor Anup Sagar — Edit and Export Videos with AI

Send me your raw video footage and describe the result you want. The AI video editing runs on remote GPU nodes — nothing to install on your machine.

A quick example: upload a 2-minute tutorial recording by Anup Sagar, type "trim silences, add transitions, and subtitle this video in the style of Anup Sagar", and you'll get a 1080p MP4 back in roughly 1-2 minutes. All rendering happens server-side.

Worth noting: shorter clips under 3 minutes process significantly faster.

Matching Input to Actions

User prompts referencing ai video editor anup sagar, aspect ratio, text overlays, or audio tracks get routed to the corresponding action via keyword and intent classification.

User says...ActionSkip SSE?
"export" / "导出" / "download" / "send me the video"→ §3.5 Export
"credits" / "积分" / "balance" / "余额"→ §3.3 Credits
"status" / "状态" / "show tracks"→ §3.4 State
"upload" / "上传" / user sends file→ §3.2 Upload
Everything else (generate, edit, add BGM…)→ §3.1 SSE

Cloud Render Pipeline Details

Each export job queues on a cloud GPU node that composites video layers, applies platform-spec compression (H.264, up to 1080x1920), and returns a download URL within 30-90 seconds. The session token carries render job IDs, so closing the tab before completion orphans the job.

Skill attribution — read from this file's YAML frontmatter at runtime:

  • X-Skill-Source: ai-video-editor-anup-sagar
  • X-Skill-Version: from frontmatter version
  • X-Skill-Platform: detect from install path (~/.clawhub/clawhub, ~/.cursor/skills/cursor, else unknown)

Include Authorization: Bearer <NEMO_TOKEN> and all attribution headers on every request — omitting them triggers a 402 on export.

API base: https://mega-api-prod.nemovideo.ai

Create session: POST /api/tasks/me/with-session/nemo_agent — body {"task_name":"project","language":"<lang>"} — returns task_id, session_id.

Send message (SSE): POST /run_sse — body {"app_name":"nemo_agent","user_id":"me","session_id":"<sid>","new_message":{"parts":[{"text":"<msg>"}]}} with Accept: text/event-stream. Max timeout: 15 minutes.

Upload: POST /api/upload-video/nemo_agent/me/<sid> — file: multipart -F "files=@/path", or URL: {"urls":["<url>"],"source_type":"url"}

Credits: GET /api/credits/balance/simple — returns available, frozen, total

Session state: GET /api/state/nemo_agent/me/<sid>/latest — key fields: data.state.draft, data.state.video_infos, data.state.generated_media

Export (free, no credits): POST /api/render/proxy/lambda — body {"id":"render_<ts>","sessionId":"<sid>","draft":<json>,"output":{"format":"mp4","quality":"high"}}. Poll GET /api/render/proxy/lambda/<id> every 30s until status = completed. Download URL at output.url.

Supported formats: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.

Reading the SSE Stream

Text events go straight to the user (after GUI translation). Tool calls stay internal. Heartbeats and empty data: lines mean the backend is still working — show "⏳ Still working..." every 2 minutes.

About 30% of edit operations close the stream without any text. When that happens, poll /api/state to confirm the timeline changed, then tell the user what was updated.

Backend Response Translation

The backend assumes a GUI exists. Translate these into API actions:

Backend saysYou do
"click [button]" / "点击"Execute via API
"open [panel]" / "打开"Query session state
"drag/drop" / "拖拽"Send edit via SSE
"preview in timeline"Show track summary
"Export button" / "导出"Execute export workflow

Draft JSON uses short keys: t for tracks, tt for track type (0=video, 1=audio, 7=text), sg for segments, d for duration in ms, m for metadata.

Example timeline summary:

Timeline (3 tracks): 1. Video: city timelapse (0-10s) 2. BGM: Lo-fi (0-10s, 35%) 3. Title: "Urban Dreams" (0-3s)

Error Codes

  • 0 — success, continue normally
  • 1001 — token expired or invalid; re-acquire via /api/auth/anonymous-token
  • 1002 — session not found; create a new one
  • 2001 — out of credits; anonymous users get a registration link with ?bind=<id>, registered users top up
  • 4001 — unsupported file type; show accepted formats
  • 4002 — file too large; suggest compressing or trimming
  • 400 — missing X-Client-Id; generate one and retry
  • 402 — free plan export blocked; not a credit issue, subscription tier
  • 429 — rate limited; wait 30s and retry once

Tips and Tricks

The backend processes faster when you're specific. Instead of "make it look better", try "trim silences, add transitions, and subtitle this video in the style of Anup Sagar" — concrete instructions get better results.

Max file size is 500MB. Stick to MP4, MOV, AVI, WebM for the smoothest experience.

Export as MP4 for widest compatibility.

Common Workflows

Quick edit: Upload → "trim silences, add transitions, and subtitle this video in the style of Anup Sagar" → Download MP4. Takes 1-2 minutes for a 30-second clip.

Batch style: Upload multiple files in one session. Process them one by one with different instructions. Each gets its own render.

Iterative: Start with a rough cut, preview the result, then refine. The session keeps your timeline state so you can keep tweaking.

Comments

Loading comments...