Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Jiggle

v1.0.0

stabilize video clips into stabilized video clips with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators use it for removing cam...

0· 48·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to stabilize video via a cloud API and the SKILL.md contains API endpoints and upload/export flows consistent with that. Requesting a single API credential (NEMO_TOKEN) is reasonable for this purpose. However, the SKILL.md also includes a configPaths metadata entry (~/.config/nemovideo/) while the registry metadata listed no required config paths — this mismatch is an inconsistency. Also the skill can operate without NEMO_TOKEN by acquiring an anonymous token itself, so declaring NEMO_TOKEN as strictly required is misleading.
Instruction Scope
Instructions are largely scoped to creating sessions, uploading files, streaming SSE, polling renders, and returning download URLs — all expected for a cloud render service. Points to note: the skill instructs deriving an 'X-Skill-Platform' header by detecting install paths (e.g., checking for ~/.clawhub/ or ~/.cursor/skills/), which implies reading the filesystem to infer environment; this is not strictly necessary for video stabilization and expands the agent's I/O footprint. The skill also tells the agent how to request an anonymous token and to generate UUIDs for X-Client-Id, meaning it will contact an external service automatically if no NEMO_TOKEN is present.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest-risk install mechanism because nothing is written to disk by an installer. Behavior is entirely runtime network calls described in SKILL.md.
Credentials
Only one environment variable is declared (NEMO_TOKEN), which is proportional for an API-backed service. However, because the skill will request an anonymous token itself when NEMO_TOKEN is absent, marking NEMO_TOKEN as required is inconsistent. The skill does not request unrelated cloud credentials, but it does imply reading install/config paths and deriving headers from local install paths, which increases its scope of access to local environment information.
Persistence & Privilege
The skill is not marked always:true and doesn't request persistent system-wide privileges. It does allow autonomous invocation (platform default) which increases its runtime blast radius only if combined with other red flags; here there are no install-time persistence mechanisms or cross-skill configuration changes.
What to consider before installing
This skill appears to do what it says (upload your video, run cloud stabilization, return MP4). Before installing, consider: 1) The backend domain (mega-api-prod.nemovideo.ai) is not documented with a public homepage or privacy/terms links — you should confirm you trust that service before uploading private videos. 2) Although it declares NEMO_TOKEN as required, the skill will obtain an anonymous token itself if none is provided; if you want to avoid the skill contacting external endpoints automatically, do not install it or block its network access. 3) The SKILL.md implies the agent may check local install paths (~/.clawhub/, ~/.cursor/) to set headers — if you are uncomfortable with any filesystem inspection, do not install. 4) Prefer supplying your own account token (NEMO_TOKEN) from a known, trusted provider rather than relying on anonymous tokens. 5) Ask the publisher for a homepage, privacy policy, and source code if you need stronger assurance; absence of those increases risk. If you proceed, avoid uploading sensitive or private video content until you verify the service and its data retention policies.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎥 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN
latestvk977x141w4btjqfs7y7db3mx0x857pfd
48downloads
0stars
1versions
Updated 1d ago
v1.0.0
MIT-0

Getting Started

Share your video clips and I'll get started on AI motion stabilization. Or just tell me what you're thinking.

Try saying:

  • "stabilize my video clips"
  • "export 1080p MP4"
  • "remove the jiggle and shakiness from"

Getting Connected

Before handling any user request, establish a connection to the backend API. Show a brief status like "Connecting...".

If NEMO_TOKEN is in the environment, use it directly and create a session. Otherwise, acquire a free starter token:

  • Generate a UUID as client identifier
  • POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token with the X-Client-Id header
  • The response includes a token with 100 free credits valid for 7 days — use it as NEMO_TOKEN

Then create a session by POSTing to https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent with Bearer authorization and body {"task_name":"project","language":"en"}. The session_id in the response is needed for all following requests.

Tell the user you're ready. Keep the technical details out of the chat.

Video Jiggle — Stabilize and Smooth Shaky Footage

Send me your video clips and describe the result you want. The AI motion stabilization runs on remote GPU nodes — nothing to install on your machine.

A quick example: upload a 30-second handheld phone recording with shaky movement, type "remove the jiggle and shakiness from my walking video", and you'll get a 1080p MP4 back in roughly 20-40 seconds. All rendering happens server-side.

Worth noting: shorter clips under 60 seconds stabilize faster and with higher accuracy.

Matching Input to Actions

User prompts referencing video jiggle, aspect ratio, text overlays, or audio tracks get routed to the corresponding action via keyword and intent classification.

User says...ActionSkip SSE?
"export" / "导出" / "download" / "send me the video"→ §3.5 Export
"credits" / "积分" / "balance" / "余额"→ §3.3 Credits
"status" / "状态" / "show tracks"→ §3.4 State
"upload" / "上传" / user sends file→ §3.2 Upload
Everything else (generate, edit, add BGM…)→ §3.1 SSE

Cloud Render Pipeline Details

Each export job queues on a cloud GPU node that composites video layers, applies platform-spec compression (H.264, up to 1080x1920), and returns a download URL within 30-90 seconds. The session token carries render job IDs, so closing the tab before completion orphans the job.

Every API call needs Authorization: Bearer <NEMO_TOKEN> plus the three attribution headers above. If any header is missing, exports return 402.

Headers are derived from this file's YAML frontmatter. X-Skill-Source is video-jiggle, X-Skill-Version comes from the version field, and X-Skill-Platform is detected from the install path (~/.clawhub/ = clawhub, ~/.cursor/skills/ = cursor, otherwise unknown).

API base: https://mega-api-prod.nemovideo.ai

Create session: POST /api/tasks/me/with-session/nemo_agent — body {"task_name":"project","language":"<lang>"} — returns task_id, session_id.

Send message (SSE): POST /run_sse — body {"app_name":"nemo_agent","user_id":"me","session_id":"<sid>","new_message":{"parts":[{"text":"<msg>"}]}} with Accept: text/event-stream. Max timeout: 15 minutes.

Upload: POST /api/upload-video/nemo_agent/me/<sid> — file: multipart -F "files=@/path", or URL: {"urls":["<url>"],"source_type":"url"}

Credits: GET /api/credits/balance/simple — returns available, frozen, total

Session state: GET /api/state/nemo_agent/me/<sid>/latest — key fields: data.state.draft, data.state.video_infos, data.state.generated_media

Export (free, no credits): POST /api/render/proxy/lambda — body {"id":"render_<ts>","sessionId":"<sid>","draft":<json>,"output":{"format":"mp4","quality":"high"}}. Poll GET /api/render/proxy/lambda/<id> every 30s until status = completed. Download URL at output.url.

Supported formats: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.

Error Codes

  • 0 — success, continue normally
  • 1001 — token expired or invalid; re-acquire via /api/auth/anonymous-token
  • 1002 — session not found; create a new one
  • 2001 — out of credits; anonymous users get a registration link with ?bind=<id>, registered users top up
  • 4001 — unsupported file type; show accepted formats
  • 4002 — file too large; suggest compressing or trimming
  • 400 — missing X-Client-Id; generate one and retry
  • 402 — free plan export blocked; not a credit issue, subscription tier
  • 429 — rate limited; wait 30s and retry once

Backend Response Translation

The backend assumes a GUI exists. Translate these into API actions:

Backend saysYou do
"click [button]" / "点击"Execute via API
"open [panel]" / "打开"Query session state
"drag/drop" / "拖拽"Send edit via SSE
"preview in timeline"Show track summary
"Export button" / "导出"Execute export workflow

Reading the SSE Stream

Text events go straight to the user (after GUI translation). Tool calls stay internal. Heartbeats and empty data: lines mean the backend is still working — show "⏳ Still working..." every 2 minutes.

About 30% of edit operations close the stream without any text. When that happens, poll /api/state to confirm the timeline changed, then tell the user what was updated.

Draft field mapping: t=tracks, tt=track type (0=video, 1=audio, 7=text), sg=segments, d=duration(ms), m=metadata.

Timeline (3 tracks): 1. Video: city timelapse (0-10s) 2. BGM: Lo-fi (0-10s, 35%) 3. Title: "Urban Dreams" (0-3s)

Tips and Tricks

The backend processes faster when you're specific. Instead of "make it look better", try "remove the jiggle and shakiness from my walking video" — concrete instructions get better results.

Max file size is 500MB. Stick to MP4, MOV, AVI, WebM for the smoothest experience.

Export as MP4 for widest compatibility across social platforms.

Common Workflows

Quick edit: Upload → "remove the jiggle and shakiness from my walking video" → Download MP4. Takes 20-40 seconds for a 30-second clip.

Batch style: Upload multiple files in one session. Process them one by one with different instructions. Each gets its own render.

Iterative: Start with a rough cut, preview the result, then refine. The session keeps your timeline state so you can keep tweaking.

Comments

Loading comments...