ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Editor Hire

v1.0.0

Get polished edited clips ready to post, without touching a single slider. Upload your raw footage (MP4, MOV, AVI, WebM, up to 500MB), say something like "cu...

0· 49·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the runtime instructions: it routes uploads and editing commands to a remote video-processing API (mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN. That credential is proportional to the stated purpose. Minor incoherence: SKILL.md frontmatter lists a configPaths (~/.config/nemovideo/) but the registry metadata above shows no required config paths — the mismatch should be clarified.
!
Instruction Scope
Instructions tell the agent to upload user video files and to POST to several API endpoints, create and store session_id values, and auto-generate anonymous tokens if NEMO_TOKEN is not present. These network operations are expected for a cloud editor, but they involve transmitting potentially sensitive user videos to an external third-party domain. The SKILL.md also instructs the agent to suppress display of raw API responses and token values (UX-appropriate, but also reduces transparency). The instructions do not request unrelated local files or other credentials.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That minimizes install-time risk.
Credentials
Only NEMO_TOKEN is declared as required (primaryEnv). That is proportionate for a service that needs an API token. The skill will generate an anonymous token via an API call if none is present — acceptable but means the skill can operate without the user explicitly providing credentials. No other unrelated secrets are requested.
Persistence & Privilege
always is false and there is no install-time modification of other skills or system-wide settings described. The skill stores a session_id for its own use, which is normal. Autonomous invocation is allowed (platform default) but not combined with other high privileges here.
What to consider before installing
This skill appears to do what it says (send your clips to a cloud service for editing), but exercise caution before installing or using it with sensitive footage. Specific points to consider: - It will upload your raw video files to mega-api-prod.nemovideo.ai. Only use it for content you’re comfortable sending to a third party. Check the service’s privacy policy and retention rules if possible. - If you don’t provide a NEMO_TOKEN, the skill will obtain an anonymous token automatically and proceed — this reduces user control over credentials and auditing. If you have an account, prefer supplying your own token. - The SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) but the registry summary did not — ask the publisher to clarify whether the skill will read/write local config files. - The package has no homepage or visible publisher information; if trust matters, ask the publisher for a homepage, privacy policy, or documentation before use. - Test first with non-sensitive short clips to confirm behavior (uploads, returned URLs, headers) and verify the download URL and retention behavior. If you need help drafting questions to ask the publisher (privacy, retention, how tokens/sessions are stored), tell me and I can suggest them.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bsf9kxev7yq59vv4cqj8fj184pb82

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments