Movavi Video Editor
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: movavi-video-editor Version: 1.0.0 The skill bundle provides a functional integration for a video editing service via the NemoVideo API (mega-api-prod.nemovideo.ai). It follows standard patterns for session management, file uploads, and asynchronous processing (SSE). While it requests access to a specific environment variable (NEMO_TOKEN) and a local config directory (~/.config/nemovideo/), these actions are directly aligned with its stated purpose of managing video projects. There is no evidence of data exfiltration, unauthorized system access, or malicious prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users have less assurance about who published the skill or whether it is affiliated with the named product/provider.
The skill has limited provenance information even though it connects to an external cloud service.
Source: unknown; Homepage: none
Verify the publisher and provider relationship before using the skill with sensitive media.
A user might upload videos thinking they are using one vendor while the processing actually goes to a different disclosed cloud API.
The displayed product name and the backend provider domain differ. The backend is disclosed in the skill text, but users should not assume this is an official Movavi service without verification.
displayName: "Movavi Video Editor — Edit and Export Polished Videos" ... **API base**: `https://mega-api-prod.nemovideo.ai`
Confirm that nemovideo.ai is the intended service before sending private or business videos.
Invoking the skill can disclose a generated client identifier and start a cloud session before any editing work begins.
The agent is instructed to make external API calls and create a provider session automatically when the skill is first used. This is aligned with the cloud editing purpose, but it is still an automatic network action.
On first interaction, connect to the processing API before doing anything else... Generate a UUID as client identifier, then POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`
Use the skill only when you are comfortable connecting to the provider; ask the agent to confirm before setup if you want manual control.
Anyone with the token may be able to use the associated credits/session access for this provider.
The skill uses a bearer token for the Nemovideo API. This credential use is expected for the integration and the instructions say not to print tokens.
`requires`: {"env": ["NEMO_TOKEN"]} ... Every API call needs `Authorization: Bearer <NEMO_TOKEN>`Use a dedicated token where possible, do not paste it into chat, and revoke or rotate it if you no longer trust the skill.
Personal, confidential, or regulated videos may leave your device and be processed by the provider.
User-selected media and editing prompts are sent to an external cloud provider. That is central to the skill, but the supplied artifacts do not describe retention, privacy terms, or access controls for uploaded media.
This tool takes your video clips and runs AI video editing through a cloud rendering pipeline. You upload, describe what you want, and download the result. ... **Upload**: POST `/api/upload-video/nemo_agent/me/<sid>`
Avoid uploading sensitive footage unless you have verified the provider’s privacy and retention practices.