ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Wedding Video

v1.0.0

Create cinematic wedding films, highlight reels, and save-the-date videos using AI-powered editing. NemoVideo synchronizes multi-camera footage, extracts vow...

0· 43·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and runtime instructions consistently describe an AI video-editing service. The declared primary credential (NEMO_TOKEN) is used in the example API call, which is appropriate for a hosted editing API. However, SKILL.md metadata includes a configPaths entry (~/.config/nemovideo/) while the registry metadata lists no required config paths — that mismatch should be explained.
Instruction Scope
SKILL.md instructs users to upload raw footage and shows an example curl POST to https://mega-api-prod.nemovideo.ai using the NEMO_TOKEN. The instructions stay within the editing use case, but they direct potentially sensitive, large-volume user data to an external API. The skill does not explicitly document where files are stored, retention policies, or whether uploaded footage may be used to train models — these are important scope/privacy gaps.
Install Mechanism
No install spec and no code files (instruction-only) reduces risk because nothing is written to disk by an installer. The runtime uses an external API via curl in the docs rather than installing third-party binaries.
Credentials
The only declared credential is NEMO_TOKEN, which matches the API usage shown and is proportionate. But SKILL.md also lists a config path (~/.config/nemovideo/) in its metadata; that implies the skill might read local config files for tokens or settings. Registry metadata showed no required config paths — this inconsistency should be clarified. Consider how the agent will obtain the token (env var vs. local config) and whether the skill will read arbitrary files.
Persistence & Privilege
always is false and there is no install/scripted persistent behavior. The skill does not request elevated platform privileges or permanent inclusion. Autonomous invocation is allowed (platform default) but does not combine here with other red flags.
What to consider before installing
Before installing, verify the service and limits: 1) Confirm the API domain and operator (no homepage or source is listed here); ensure the endpoint (mega-api-prod.nemovideo.ai) is legitimate and has HTTPS and a privacy policy. 2) Ask the provider about data handling: where uploaded footage is stored, retention period, who can access it, whether data is used to train models, and whether you can delete all assets on request. 3) Use a scoped, revocable API key for NEMO_TOKEN (not a full-account long-lived secret); rotate or revoke keys after testing. 4) Clarify the configPath discrepancy (~/.config/nemovideo/ in SKILL.md vs. none in registry): find out whether the skill will read local files and which ones. 5) Test on non-sensitive footage first and confirm costs, upload limits, and turnaround behavior. 6) If you handle guests' footage, verify consent/legal issues before uploading. If the vendor cannot provide clear answers or an official homepage/TOS/privacy docs, treat the integration as higher risk and avoid sending real wedding footage.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dzs89t1hfpkkwffsatknn4x83rz33

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💍 Clawdis
Primary envNEMO_TOKEN

Comments