ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sports Highlight Editor

v1.0.5

The sports-highlight-editor skill analyzes raw game footage and automatically identifies peak moments — goals, dunks, sprints, saves, and crowd reactions — t...

0· 118·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description align with requested resources: a single NEMO_TOKEN (primary credential) and optional NEMO_API_URL/NEMO_WEB_URL/NEMO_CLIENT_ID are appropriate for a cloud video processing integration.
Instruction Scope
SKILL.md instructs the agent to upload user video and include X-Skill-* headers for traceability, and to persist a UUID at ~/.config/nemovideo/client_id. It also describes detecting SKILL_SOURCE from the install path (which may reveal local path information). These behaviors are coherent with remote API usage but do expose install-source metadata to the remote service.
Install Mechanism
No install spec and no code files — instruction-only skill — so nothing is written to disk by an installer beyond the small client_id file the skill itself documents creating.
Credentials
Only one required secret (NEMO_TOKEN) is declared; other env vars are optional and documented. Persisted client_id is a non-secret UUID. The requested environment access is proportionate to a hosted video-editing API.
Persistence & Privilege
always is false and the skill only documents writing its own client_id to ~/.config/nemovideo/. It does not request system-wide changes or other skills' config; autonomous invocation is allowed by default but not excessive here.
Scan Findings in Context
[no_code_files_for_regex_scan] expected: The static regex scanner had no code files to analyze — this is an instruction-only skill (SKILL.md).
Assessment
This skill will upload your video files to nemovideo.ai and requires a Nemo API token (NEMO_TOKEN). It will store a non-secret client_id at ~/.config/nemovideo/client_id to avoid rate limits. API requests include X-Skill-Source/X-Skill-Version/X-Skill-Platform headers (these can reveal the skill name/version and potentially install path metadata to the remote service). Before installing, verify you trust nemovideo.com (review its privacy/policy and token scopes), avoid using highly sensitive footage unless you accept third-party cloud processing, and be prepared to revoke the token (via Settings → API Tokens) if you stop using the skill. If you need greater assurance, obtain the skill from a verified source or inspect the repo referenced on the homepage before granting the token.

Like a lobster shell, security has layers — review code before you run it.

latestvk972n8wcjxjn03cgw72jgpjtns83xt5d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏆 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments