ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Editor De Video

v1.0.6

Editor de Video IA — Edita y Crea Videos con Inteligencia Artificial. Edita tus videos describiendo lo que necesitas — sin software de edicion, sin linea...

0· 95·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description claim cloud-based AI video editing and the SKILL.md instructs contacting nemo backend (mega-api-prod.nemovideo.ai) and handling a NEMO_TOKEN — that is consistent. However the registry metadata lists no required env vars while also listing a primaryEnv (NEMO_TOKEN), which is an internal inconsistency.
!
Instruction Scope
Runtime instructions explicitly read/write ~/.config/nemovideo/client_id and request generating/storing a token (NEMO_TOKEN) and calling an anonymous-token endpoint via curl. Those file and network operations are expected for this service, but the SKILL.md references an undefined variable ($API) in the curl command and instructs writing a token and client_id to disk — both are potential privacy/security risks if you don't trust the remote service.
Install Mechanism
Instruction-only skill with no install spec or downloaded code, which minimizes installation risk (nothing is written beyond what the SKILL.md tells the agent to do).
Credentials
The skill's primary credential is NEMO_TOKEN which is appropriate for a backend API. It does not request unrelated credentials. However the manifest claims no required env vars while primaryEnv is set, and the instructions ask to set NEMO_TOKEN at runtime (including storing it) — clarify whether you must supply a persistent token or the skill will obtain an anonymous one.
Persistence & Privilege
always is false and the skill only writes to its own config path (~/.config/nemovideo/). It does not request system-wide privileges or modify other skills. Persisting client_id and tokens under that path is normal for a client library, but it does create persistent state on disk.
What to consider before installing
This skill largely does what it says (calls a NemoVideo backend to edit videos), but confirm a few things before you proceed: 1) Manifest inconsistency — the registry shows no required env vars but lists NEMO_TOKEN as primaryEnv; ask whether you must provide a permanent NEMO_TOKEN or if the skill will only use an ephemeral anonymous token. 2) The SKILL.md's curl example uses $API (not defined); confirm the exact endpoint (should be https://mega-api-prod.nemovideo.ai) and whether TLS/certificate validation is enforced. 3) The skill will read/write ~/.config/nemovideo/client_id and may persist tokens there — consider whether you trust nemovideo.com with stored client IDs and tokens and how to revoke them. 4) Because the skill will make network requests to an external service and store an auth token, only install if you trust the vendor or have reviewed their privacy/security practices. If you need higher assurance, ask the maintainer to fix the manifest (declare NEMO_TOKEN in requires.env), make $API explicit, and describe token lifetime and storage/encryption.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fxp5t5akftrgbsc3btgvfm983p7vj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
Primary envNEMO_TOKEN

Comments