Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Compressor Pro
v1.0.0Get compressed MP4 files ready to post, without touching a single slider. Upload your large video files (MP4, MOV, AVI, MKV, up to 500MB), say something like...
⭐ 0· 25·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is an instruction-only wrapper around a cloud video-processing API; asking for a service token (NEMO_TOKEN) is consistent with that purpose. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) and logic to detect install path for X-Skill-Platform, while the registry metadata reported 'Required config paths: none' — this mismatch is unexpected and should be clarified. Detecting install path is not strictly necessary to compress videos and suggests the skill wants to read local agent installation locations.
Instruction Scope
Runtime instructions direct the agent to perform network operations (create anonymous tokens, create sessions, upload user files, stream SSE, poll for render status) to api host https://mega-api-prod.nemovideo.ai — that aligns with the stated cloud-render behavior. Important concerns: (1) the skill will upload user video files to an external third-party service (explicit in the Upload section) — this transfers potentially sensitive user data off-device; (2) the SKILL.md instructs the agent to detect install paths (~/.clawhub/, ~/.cursor/skills/) to set a header, which requires reading filesystem paths not declared in the registry; (3) the file mentions saving session_id and using tokens — storing/handling credentials should be carefully scoped. These behaviors are coherent with a cloud compressor but expand the attack/ privacy surface and rely on trusting the external API.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes local attack surface since nothing is downloaded or executed locally by the skill installer.
Credentials
Only one credential, NEMO_TOKEN, is required and is directly relevant to calling the nemo video API. That is proportionate. Caveat: frontmatter also includes a configPaths entry (~/.config/nemovideo/) which was not recorded in the registry's 'Required config paths' — the mismatch should be resolved. The anonymous-token flow does not require pre-provisioned secrets, but gives the skill ability to obtain a short-lived token on behalf of the agent.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It does instruct the agent to save session_id and tokens for the render session (normal for a cloud API client). It does not request modifications to other skills or system-wide settings.
What to consider before installing
This skill will upload whatever video you provide to https://mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN (or will obtain an anonymous token for you). Before installing or using: (1) confirm the service origin and trustworthiness (no homepage is provided and owner is unknown); (2) do not upload sensitive or private footage unless you accept that it will be transmitted and processed by that third party; (3) ask the skill author to explain the metadata mismatch (SKILL.md lists a config path and install-path detection but registry metadata does not) and why the agent must read install paths; (4) verify retention/privacy policy and whether the service stores uploaded files; (5) prefer a skill with a documented homepage, owner contact, or known registry publisher. If you decide to proceed, restrict NEMO_TOKEN to least privileges possible (or use the anonymous-token flow) and avoid sending sensitive content until you verify the service.Like a lobster shell, security has layers — review code before you run it.
latestvk97fqe60p9b62k2pdpm5n5yw4584w1r5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🗜️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN