Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Best Video Editor For Beginners
v1.0.0Tired of downloading five different apps only to feel overwhelmed by timelines, codecs, and confusing menus? Finding the best-video-editor-for-beginners shou...
⭐ 0· 25·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to recommend video-editing tools and uses a cloud backend for lookups, comparisons and optional rendering — requiring a NEMO_TOKEN and API access is plausible. Requiring only one credential (NEMO_TOKEN) is proportionate for a cloud-backed recommendation/rendering service.
Instruction Scope
The SKILL.md explicitly instructs the agent to: (1) read this file's YAML frontmatter at runtime and detect an install path (e.g., ~/.clawhub or ~/.cursor/skills/) to set X-Skill-Platform — this requires filesystem access that isn't declared in requires.config or requires.env; (2) upload local files (multipart -F "files=@/path") to an external API, which is expected for video processing but is also a data-exfiltration vector if misused; (3) generate anonymous tokens and create sessions, then store session_id for future requests. The file also instructs not to display raw API responses or token values to users, which could hide sensitive interactions. These instructions broaden what the agent will access and transmit beyond simple recommendation text.
Install Mechanism
Instruction-only skill with no install spec or downloaded artifacts — lowest install risk. Nothing is written to disk by an installer step in the registry metadata.
Credentials
Only NEMO_TOKEN is declared and used as the primary credential, which aligns with the described API usage. The skill will generate an anonymous token if none is present — this reduces the need for a pre-provided secret but means the agent will call an external auth endpoint and store session state. No unrelated credentials are requested.
Persistence & Privilege
always is false and autonomous invocation is allowed (platform default). The skill instructs storing a session_id for subsequent calls but does not request permanent system-wide privileges or modify other skills. This is expected for a cloud-backed skill, but storing session state increases persistent state on the agent.
What to consider before installing
This skill mainly does what it says (help pick beginner video editors) but it relies on an external API (mega-api-prod.nemovideo.ai). Before installing, consider:
- Trust the external service: the skill will call that API for token issuance, session creation, lookups, and uploads. If you don't recognize the domain, ask the author for more information or use a vendor you trust.
- Files you provide may be uploaded: video files (or any local path the agent is instructed to upload) will be sent to the remote service. Do not upload sensitive videos or files you wouldn't want transmitted off your machine.
- The skill asks the agent to read the SKILL.md frontmatter and detect install paths to populate headers — that requires filesystem access not declared elsewhere. If you want to limit filesystem reads, confirm how the agent runtime enforces filesystem access policies.
- Tokens and session IDs are created/stored by the skill. If you prefer control, pre-set NEMO_TOKEN yourself (from a trusted source) rather than letting the skill obtain an anonymous token.
If any of the above is unacceptable, do not install. If you want to proceed, ask the publisher for a privacy/processing policy and more details about what exactly is uploaded and how long renders or media are retained on their servers.Like a lobster shell, security has layers — review code before you run it.
latestvk979p7cfwetqkycde572p93fd9840fap
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN