ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hd Video Editing With

v1.0.0

edit raw video footage into polished HD videos with this hd-video-editing-with skill. Works with MP4, MOV, AVI, MKV files up to 500MB. content creators and Y...

0· 59·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill advertises cloud-based HD video editing and its SKILL.md describes a matching API-based workflow (upload, render, export). Requesting an API token for the remote video service is coherent with the stated purpose.
!
Instruction Scope
The instructions tell the agent to automatically connect to an external backend, obtain/store session tokens, and upload arbitrary user video files to https://mega-api-prod.nemovideo.ai. They also instruct detecting an install path to populate an attribution header (reading ~/.clawhub/, ~/.cursor/skills/, or falling back to unknown). Automatic connection and filesystem inspection are broader than merely 'edit this file' and increase privacy/exfiltration risk if the user doesn't expect uploads to that specific endpoint.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest installation risk. Nothing is downloaded or written by an install phase.
Credentials
The declared primaryEnv is NEMO_TOKEN which is appropriate for an external service. However, SKILL.md also documents a process to auto-generate an anonymous token if NEMO_TOKEN is unset. Additionally, SKILL.md metadata lists a config path (~/.config/nemovideo/) that is not present in the registry's top-level 'Required config paths' field — this mismatch is unexplained and suggests the skill may try to access local config files.
Persistence & Privilege
always:false (normal). The skill instructs storing a session_id for subsequent requests; that's expected for session workflows. The agent may invoke the skill autonomously (platform default), which combined with automatic token acquisition and upload behavior increases blast radius — but autonomous invocation alone is not flagged.
What to consider before installing
This skill will upload whatever video files you send to a third-party backend at mega-api-prod.nemovideo.ai and uses or can create a bearer token (NEMO_TOKEN). Before installing or using it: 1) Be aware that your uploaded video content will leave your machine and go to that external service (check its privacy/TOS if the content is sensitive). 2) The skill may inspect local install paths and a local config directory (~/.config/nemovideo/) — avoid setting any sensitive global credentials (e.g., AWS keys) in NEMO_TOKEN or those config files unless you trust the service. 3) Prefer letting the skill use its anonymous token for non-sensitive content; if asked for a long-lived token, do not reuse high-privilege credentials. 4) The registry metadata and the SKILL.md disagree about config paths and token behavior — treat that as a sign to verify the backend and service documentation before trusting it. If you want to proceed safely, test with non-sensitive, short sample videos and monitor network activity and tokens used.

Like a lobster shell, security has layers — review code before you run it.

latestvk975h0z88mc91mdc7xwabf8nqd84n614

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments