ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Merge Videos

v1.0.4

Video merger that combines multiple video clips into a single finished video through AI chat. Upload two or more clips and describe how to join them: side by...

0· 91·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required env var (NEMO_TOKEN), declared config path (~/.config/nemovideo/) and the API domain all align with a client that uploads video, creates sessions, and calls the nemovideo backend.
Instruction Scope
The SKILL.md tells the agent to read/write ~/.config/nemovideo/client_id, to obtain or use NEMO_TOKEN, to upload files and stream SSE responses to/from https://mega-api-prod.nemovideo.ai. Those actions are expected for a remote video-processing frontend, but they will transmit user video files and create a persistent client_id file. The instructions also add custom headers (X-Skill-Platform) which may expose the agent's SKILL_SOURCE (potentially an install path) — minor privacy leakage to be aware of.
Install Mechanism
No install spec or code is included; this is instruction-only, so nothing is downloaded or written during install beyond what the runtime instructions explicitly request (the config file).
Credentials
Only NEMO_TOKEN is required (primary credential). Optional env vars listed (API/WEB URL, client id) are relevant. No unrelated secrets or extra cloud creds are requested.
Persistence & Privilege
The skill persists a client_id under ~/.config/nemovideo/ and may store/renew an anonymous token valid for 7 days; it does not request system-wide privileges or force inclusion. Persisting a client_id and session token is reasonable for this use case but results in on-disk state in the user's home directory.
Assessment
This skill appears to do what it says: it uploads videos to nemovideo's API and returns merged output. Before installing or using it, consider: 1) You will be uploading your video files to https://mega-api-prod.nemovideo.ai — do not upload sensitive material unless you trust the service and reviewed its privacy policy. 2) The skill will create ~/.config/nemovideo/client_id and may persist an anonymous token (valid ~7 days); if you prefer, set your own NEMO_TOKEN instead of allowing anonymous-token generation. 3) The skill includes headers that may leak an install path or skill-source string; if that is a concern, review or override SKILL_SOURCE/NEMO_CLIENT_ID. 4) No unrelated credentials are requested. If any of these behaviors are unacceptable, do not enable the skill or contact the provider for an alternative integration.

Like a lobster shell, security has layers — review code before you run it.

latestvk97agsvk8fkzb7pmex0anxa56n83png2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments