Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
WeChat Video Editor - AI Video Editing for Douyin Xiaohongshu and TikTok
v1.0.0支持微信视频号、抖音、小红书、TikTok 格式导出。中文对话剪辑,无需打开任何软件。 AI video creation and editing — generate videos from text descriptions, edit with background music, sound effects...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (AI video creation & editing) match the runtime instructions: the SKILL.md describes creating sessions, uploading media, editing, exporting, and calling a NemoVideo backend API. Requesting a Nemo-specific token (NEMO_TOKEN) and using an API URL is expected for this functionality.
Instruction Scope
Instructions stay focused on forwarding user actions to NemoVideo via SSE/REST. They do read/write a single local config file (~/.config/nemovideo/client_id) to persist a client UUID and instruct the agent to include attribution headers (X-Skill-Source/Version/Platform) in API calls. These behaviors are explainable for rate-limiting, attribution, and session management, but they do expose some local metadata (skill source/path) to the remote API and will transmit user-provided media/content to the external service.
Install Mechanism
There is no install spec and no code files executed by the platform — the skill is instruction-only. No downloads, extract steps, or external install URLs are present, which reduces install-time risk.
Credentials
The only credential surface is the Nemo token (NEMO_TOKEN) and optional API/WEB URLs; that's proportional to a cloud video editing service. The SKILL.md also auto-generates an anonymous token if none is supplied, which is consistent with the described workflow. No unrelated secrets or third-party credentials are requested.
Persistence & Privilege
The skill persists a non-secret UUID to ~/.config/nemovideo/client_id to avoid token rate limits; this is a limited local persistence and consistent with its stated need. The skill is not marked always:true and does not request system-wide privileges or modify other skills' configs. The agent will, however, send user content and metadata to the remote NemoVideo backend when used.
Assessment
This skill appears to do what it says: it forwards your requests and media to the NemoVideo backend to create and export videos. Before installing, consider: (1) Privacy — uploaded media and any chat prompts will be sent to nemovideo's API (https://mega-api-prod.nemovideo.ai by default); do not send sensitive files you wouldn't want shared with that service. (2) Local persistence — the skill writes a UUID to ~/.config/nemovideo/client_id to manage anonymous tokens; this file holds no secrets but reveals that the skill has been used on this machine. (3) Attribution headers — the skill sends X-Skill-Source/X-Skill-Version/X-Skill-Platform which can include a detected install path/platform value; if you prefer not to disclose that, review or override SKILL_SOURCE before use. (4) Token lifecycle — anonymous tokens expire and can be auto-generated; if you later register an account or revoke tokens, follow the service's instructions. If you do not fully trust nemovideo.com or want to avoid sending media externally, do not enable the skill or restrict agent autonomy when invoking it.Like a lobster shell, security has layers — review code before you run it.
latestvk97743kapn4ers5d9cwbmq6cv983d48e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
Primary envNEMO_TOKEN