ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Drone Video Editor

v1.0.0

Raw drone footage arrives as flat, ungraded clips with inconsistent horizon lines, abrupt cuts between altitude changes, and ambient wind noise on the audio...

0· 44·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims cloud-like processing (horizon correction, grading, noise removal) but provides no implementation details, homepage, or source. Metadata declares a primary credential NEMO_TOKEN and a config path (~/.config/nemovideo/) that are consistent with an external service, but the registry metadata lists no required env vars and the SKILL.md's openclaw.requires.env is empty — this mismatch is incoherent and unexplained.
!
Instruction Scope
Runtime instructions simply ask the user to 'Upload the raw drone clips' and describe the intended use, but do not state where uploads go, whether processing is local or remote, what third-party endpoints will receive the footage, or how long data is retained. The SKILL.md itself does not instruct reading unrelated system files, but the declared config path implies access to user config which is not described in the instructions.
Install Mechanism
This is an instruction-only skill with no install spec or code files, which reduces on-disk risk. However, being instruction-only increases reliance on external services/APIs that are not documented here.
!
Credentials
A primary credential (NEMO_TOKEN) is specified but not listed in the skill's requires.env array; required env vars are otherwise empty. The skill also requests access to a user config path (~/.config/nemovideo/). These credential/config requests are plausible for a remote video-processing service, but their omission from the declared requirements and lack of explanation about token scope and config contents is disproportionate and unclear.
Persistence & Privilege
The skill is not force-included (always: false) and does not request elevated platform privileges. There is no indication it modifies other skills or system-wide settings.
What to consider before installing
This skill may call an external service to process uploaded footage, but it gives no publisher info, no privacy/retention details, and has inconsistent credential declarations. Before installing: ask the publisher for a homepage or documentation; confirm what NEMO_TOKEN is for, where uploads are sent, and whether processing is local or cloud-based; request a data retention and privacy policy (how long footage is stored, who can access it); verify the minimum required token scope and whether credentials are stored locally; avoid uploading sensitive footage until you receive answers; consider testing with non-sensitive sample footage first or use well-known local tools (ffmpeg, RNNoise, OpenColorIO-based graders) if you need full transparency. If the publisher cannot provide clear answers, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk972p25wnwgqwytgh7bs3cz4q583xfwg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚁 Clawdis
Primary envNEMO_TOKEN

Comments