Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Batch Video
v1.0.0process multiple video files into processed MP4 files with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. marketers use it for applying the sa...
⭐ 0· 58·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (batch video processing) aligns with the runtime instructions which call a cloud render API and accept uploads. Requesting a NEMO_TOKEN is consistent with a cloud service credential. However, the SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) that is not listed in the registry metadata — this is an unexplained mismatch.
Instruction Scope
The SKILL.md explicitly instructs the agent to create sessions, upload user files, stream via SSE, poll status, and include attribution headers — all expected for a remote render service. The concerning bit is the frontmatter reference to a local config path (~/.config/nemovideo/) and the instruction to 'use NEMO_TOKEN if in environment, otherwise generate one' which implies the skill may look for or prefer local credentials/config. There are no instructions to access unrelated files, but the implicit local config access is scope-creep unless justified.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing gets written to disk by an installer. That is the lowest-risk install footprint.
Credentials
The only declared credential is NEMO_TOKEN, which is proportional to a cloud video service. However, the frontmatter's configPaths entry ( ~/.config/nemovideo/ ) would grant the skill access to files in the user's config directory; that path is not declared in the registry metadata and is not explained in the docs. Requiring both an env token and potentially a config path is disproportionate unless the publisher explains why the local config is needed.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install-time persistent agent privileges. It runs as an instruction-only skill and can be invoked by the user; autonomous invocation is allowed by default but not, by itself, a red flag.
What to consider before installing
This skill appears to be a legitimate cloud-based batch video processor, but there are two things to check before installing or providing credentials:
1) Source and trust: there is no publisher homepage or provenance. Verify the nemovideo domain and the publisher identity. Ask for a homepage, documentation, or a company/maintainer identity you trust before sending private or sensitive videos.
2) Local config access: SKILL.md frontmatter references ~/.config/nemovideo/ but the registry metadata did not list any required config paths. Ask the publisher why that local config is needed and whether the skill will read any files there. If you do not want the skill to access local config, prefer using an anonymous starter token (the skill documents how to request one) rather than supplying a long-lived NEMO_TOKEN.
Also consider data-privacy questions: where uploaded videos are stored, retention period, whether outputs are private, and whether the service encrypts data at rest/in transit. If you must provide NEMO_TOKEN, prefer creating a scoped/short-lived credential and test with non-sensitive content first.Like a lobster shell, security has layers — review code before you run it.
latestvk97f7sdtqeqf7h4ra20bzk665984m5yq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📦 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN