Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Nemo Edit
v1.8.12Tell NemoEdit what you want done to your video and it handles the rest — no timeline, no interface to learn, just a conversation. Bring in clips in formats l...
⭐ 0· 262·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (upload clips, build edit specs, render jobs) matches the API endpoints and the instructions. Requesting a client_id under ~/.config/nemovideo/ and an API token is coherent for a cloud video editing service. However, registry metadata presented earlier says no required env vars while SKILL.md declares primaryEnv: NEMO_TOKEN and requires.env: ["NEMO_TOKEN"]; this inconsistency is unexpected and reduces confidence.
Instruction Scope
Runtime instructions tell the agent to read/write ~/.config/nemovideo/client_id, generate and persist a UUID there, POST to an anonymous-token endpoint, and store the returned token as NEMO_TOKEN for the session. Those file operations and token handling are within the skill's domain but are explicit and persistent — the SKILL.md also uses inconsistent environment variable names ($API, NEMO_TOKEN, NEMOVIDEO_API_KEY) and mixed base URLs. The instructions do not reference reading unrelated system files, but the variable/name mismatches and instructions to persist tokens and client IDs are risky if left ambiguous.
Install Mechanism
This is instruction-only with no install spec or bundled code; nothing is downloaded or written by an installer. That gives a lower install risk surface.
Credentials
The skill declares primaryEnv NEMO_TOKEN and a config path under ~/.config/nemovideo/, which is proportionate to a cloud API client. But the SKILL.md/refs inconsistenly reference different env names (NEMO_TOKEN vs NEMOVIDEO_API_KEY vs Authorization: Bearer <NEMOVIDEO_API_KEY>), different API domains (mega-api-prod.nemovideo.ai vs mega-api-dev.nemovideo.ai), and undefined variables ($API, $CLIENT_ID). These mismatches could cause accidental exposure of the wrong credential or incorrect token storage behavior. The skill asks to persist a client_id on disk and to store tokens for the session — users should consider whether they want those values saved locally.
Persistence & Privilege
always:false (normal). The skill will create/read ~/.config/nemovideo/client_id and may save an anonymous token to an environment/session variable. Writing its own config path is normal for a client, but it does introduce persistence of identifiers/tokens on the host. The skill does not request system-wide settings or other skills' configs.
What to consider before installing
This skill looks like a real cloud video-editing client, but there are multiple inconsistencies in the instructions that you should clarify before installing or using it with sensitive content. Things to check/ask the author: (1) Which environment variable is authoritative — NEMO_TOKEN or NEMOVIDEO_API_KEY? (2) Which API base should be used (prod vs dev)? The SKILL.md references both. (3) Will tokens be persisted to disk permanently or only kept in-memory for the session? Where and how are they stored? (4) What exact file(s) will be created under ~/.config/nemovideo/, and can you review them beforehand? (5) Confirm the homepage/repository ownership and privacy/retention policy for uploaded videos. Until those are clarified, avoid supplying production API keys or uploading sensitive video content. If you proceed, prefer using an ephemeral/limited token, review any files created in ~/.config/nemovideo/, and verify TLS/hostname (mega-api-prod.nemovideo.ai) and the skill's official repository/source to ensure authenticity.Like a lobster shell, security has layers — review code before you run it.
latestvk97aqqk3r8a7rrez0t9y9k7zkh84bqrv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
✂️ Clawdis