ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Korean Editor Ai

v1.0.0

K-content creators edit raw video footage into Korean-edited videos using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders on cloud GPUs at 1080p...

0· 62·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the runtime instructions: the SKILL.md exclusively describes using a remote video-processing API, uploading files, starting sessions, streaming edits, and exporting MP4s. Requesting a service token (NEMO_TOKEN) is expected for this purpose.
!
Instruction Scope
Most runtime steps are within scope (auth, upload, SSE, render polling). However the instructions ask the agent to detect the installation path to set X-Skill-Platform (checking ~/.clawhub/, ~/.cursor/skills/, etc.), which requires inspecting the user's filesystem/environment even though the registry metadata did not declare config paths for that. The SKILL.md frontmatter itself lists a configPaths entry (~/.config/nemovideo/) that is not reflected in the registry metadata — an inconsistency. The instructions also direct sending user media to an external host (mega-api-prod.nemovideo.ai), which is expected but privacy-sensitive.
Install Mechanism
Instruction-only skill with no install spec or downloaded code. This is low-risk from an install mechanism perspective (nothing will be written to disk by an installer).
Credentials
The skill only requires a single credential (NEMO_TOKEN), which is proportionate for a remote video service. But the SKILL.md frontmatter references a config path (~/.config/nemovideo/) and the instructions imply checking installation directories — access to these paths was not declared in the registry metadata. Confirm whether the agent will read local paths and how session tokens are stored.
Persistence & Privilege
always:false and no install-time hooks are present. The instructions ask to save session_id and use tokens for API calls (ephemeral usage), but there is no request for permanent agent-wide privileges or modifications to other skills.
What to consider before installing
This skill appears to do what it claims (upload your video to a cloud renderer using NEMO_TOKEN), but verify the following before enabling it: 1) Provenance: there is no source/homepage — ask the publisher for a code repo or company page. 2) Token safety: only set NEMO_TOKEN if you trust the service; anonymous-token generation is supported but yields short-lived credits. 3) Privacy: your raw footage will be uploaded to mega-api-prod.nemovideo.ai — avoid uploading sensitive content unless you accept that. 4) Filesystem access: the SKILL.md asks the agent to detect install paths to set an attribution header; confirm whether the skill will inspect your home directories and whether that behavior is necessary. 5) Ask the publisher to reconcile the registry metadata vs SKILL.md (configPaths mismatch) and to publish a homepage or privacy/terms link. If you proceed, prefer using the anonymous token flow or a disposable token and keep monitoring for unexpected network requests.

Like a lobster shell, security has layers — review code before you run it.

latestvk973tdt31586pjb1bdft0qzntx84jarm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🇰🇷 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments