ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Chat Video Editor — AI Video Editing by Conversation, No Timeline Needed

v1.0.0

AI video editor that works entirely through chat — type what you want changed and the AI handles the rest. Trim clips, merge footage, add background music, a...

0· 100·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (chat-based video editor) match the instructions: the SKILL.md describes obtaining a service token (NEMO_TOKEN), uploading video/audio/image files, and driving a remote editing API. Requested config path (~/.config/nemovideo/) and primaryEnv (NEMO_TOKEN) are appropriate for a remote video service.
Instruction Scope
Instructions direct the agent to create/read ~/.config/nemovideo/client_id, call the remote API (SSE, upload, export, state, credits) and upload local files by path. This is expected for a video upload/edit flow, but it means the agent will read and transmit any local file paths the user supplies and write a client_id to the user's config directory. The doc assumes curl/HTTP is available and that agent will persist tokens locally (NEMO_TOKEN).
Install Mechanism
No install spec or code files — instruction-only skill. That minimizes risk because nothing is downloaded or written by an installer beyond what the agent itself does at runtime.
Credentials
Only the service token (NEMO_TOKEN) and a client_id persisted under ~/.config/nemovideo/ are used; declared endpoints (NEMO_API_URL / NEMO_WEB_URL) are consistent with a hosted editing service. There are no unrelated credentials requested.
Persistence & Privilege
always is false and the skill only persists its own client_id under ~/.config/nemovideo/ and suggests saving NEMO_TOKEN; it does not request system-wide changes or other skills' configs.
Assessment
This skill appears to do what it says: it will call an external editing API (defaults to nemovideo.com) and may upload any media files you give it. Before installing, consider: (1) you are trusting a remote service with any video/audio/images you upload—don’t upload sensitive content; (2) the skill will read/write ~/.config/nemovideo/ (client_id and token) and expects to be able to run HTTP requests (curl or equivalent); (3) NEMO_TOKEN may be auto-created and stored locally and the token grants the skill access to the provider’s API (it expires after 7 days per the docs); (4) there are no hidden credential requests or installer downloads in the package. If you don’t trust the remote service or need stricter data handling, avoid uploading private media or run edits locally with a different tool.

Like a lobster shell, security has layers — review code before you run it.

latestvk975mgn08qqc6crbn7qy1tfkr583fx1f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
Primary envNEMO_TOKEN

Comments