ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Maker Automatic

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — automatically edit my footage into a finished video with transitions and m...

0· 56·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (auto-edit and export videos) aligns with the network endpoints, upload, and export flows in SKILL.md. Required credential NEMO_TOKEN is appropriate for a cloud service. However, the SKILL.md metadata includes a configPaths entry (~/.config/nemovideo/) while the registry summary lists no required config paths — this mismatch is an incoherence in the manifest.
!
Instruction Scope
Runtime instructions direct the agent to upload user video files to a remote API, create sessions, use SSE, poll export status and include attribution headers. These are expected for a cloud render pipeline. Concerning details: SKILL.md instructs reading this file's YAML frontmatter and detecting install path (~/.clawhub/, ~/.cursor/skills/) to set an X-Skill-Platform header — that requires filesystem/agent-path inspection which is not essential to core editing and broadens the scope of what the agent reads.
Install Mechanism
No install spec and no code files (instruction-only). Lowest risk for arbitrary disk writes or hidden installs.
Credentials
Only one environment variable is declared (NEMO_TOKEN), which is proportional for a third‑party API. SKILL.md also documents a fallback anonymous-token flow (POST to /api/auth/anonymous-token) to obtain a short-lived token if none is present — this is functional but redundant with primaryEnv and means the skill can operate without a user-supplied secret.
Persistence & Privilege
always:false and no install behavior that modifies other skills or global agent settings. The skill does not request permanent presence or elevated privileges.
What to consider before installing
This skill appears to do what it says (upload clips to a cloud service and return edited videos), but review these points before installing: - Privacy: uploaded videos are sent to mega-api-prod.nemovideo.ai — do not send sensitive or private footage unless you trust the service and understand its retention/TOS. - Token handling: you can supply your own NEMO_TOKEN, or the skill will request an anonymous short-lived token on your behalf. If you let the skill obtain tokens, be aware those tokens grant the service access to uploads and jobs until expiry. - File-system reads: the instructions ask the agent to read this file's frontmatter and detect install paths to set attribution headers — confirm you’re comfortable with that filesystem inspection. - Manifest mismatch: the registry metadata and SKILL.md disagree about required config paths; ask the publisher to clarify what, if any, local config is accessed. If you need to proceed: provide a dedicated or revocable token, avoid uploading sensitive footage, and ask the publisher for a privacy/retention policy and clarification of the config-path behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk975s2cxvcty3zqdjeag0259y584nagt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments