ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Resize

v1.0.1

Resize and reframe videos for every platform with AI — convert 16:9 landscape to 9:16 vertical, 1:1 square, 4:5 tall, and any custom aspect ratio with intell...

0· 55·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's purpose (AI video reframing) aligns with making API calls to NemoVideo and requiring an API token (NEMO_TOKEN). However, the manifest lists no required env vars while also declaring primaryEnv: NEMO_TOKEN and a config path (~/.config/nemovideo/) — that mismatch is unexpected and worth explaining.
Instruction Scope
SKILL.md is instruction-only and shows the agent calling nemo's API (curl to mega-api-prod.nemovideo.ai) and uploading videos. Instructions do not appear to ask the agent to read unrelated system files or secrets beyond using the API token example shown.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes on-disk risk because nothing is downloaded or executed locally by the skill itself.
!
Credentials
Requesting a single API credential (NEMO_TOKEN) is appropriate for a cloud API integration. But the manifest inconsistency (requires.env is empty while primaryEnv is set to NEMO_TOKEN) and the declared configPaths (~/.config/nemovideo/) are disproportionate/unexplained: either the skill expects a local config file or it does not. That ambiguity raises the possibility of unexpected local credential reads or writes.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent, always-loaded privileges. Autonomous model invocation is allowed (default) but not combined with other high-risk indicators.
What to consider before installing
This skill appears to do what it says (call NemoVideo's API to reframe videos) and needs your Nemo API token to operate. Before installing, confirm two things with the publisher: (1) why the manifest's requires.env is empty while primaryEnv is NEMO_TOKEN — ensure the skill will only use the token for API calls to nemovideo.ai, and (2) why ~/.config/nemovideo/ is declared — ask whether the skill will read or write files there and what will be stored. Because this is instruction-only, it won't install code locally, but any provided NEMO_TOKEN grants the skill the same rights your token has on NemoVideo's service. If you proceed, use a scoped token (least privilege), review NemoVideo's privacy/security docs, and rotate the token if you stop using the skill. If you need higher assurance, ask for a clear manifest update or check the referenced repository for implementation details.

Like a lobster shell, security has layers — review code before you run it.

latestvk9785pb65fhq908nkspwnf19as83tqps

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📐 Clawdis
Primary envNEMO_TOKEN

Comments