ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Easy Ai Video Editing

v1.0.0

Cloud-based easy-ai-video-editing tool that handles quickly editing raw footage into a clean shareable video. Upload MP4, MOV, AVI, WebM files (up to 500MB),...

0· 17·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, API endpoints, and required NEMO_TOKEN align with a cloud video-editing service. However the skill metadata and instructions request reading local config paths (~/.config/nemovideo/) and detecting the agent install path to populate attribution headers — behavior that is not required for core editing and looks like scope creep.
!
Instruction Scope
The SKILL.md directs the agent to: (1) use NEMO_TOKEN or obtain an anonymous token via a remote API, (2) create and reuse session IDs, and (3) read this file's YAML frontmatter and detect the local install path to set attribution headers. Reading install paths and local config files is outside the minimal needs of uploading/processing a video and means the skill will access the agent's filesystem/state.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes on-disk risk because nothing is downloaded or installed by the skill itself.
Credentials
Only one declared credential (NEMO_TOKEN). The skill also supports an anonymous-token fallback, which reduces the need for persistent secrets. No unrelated credentials are requested. Still, supplying NEMO_TOKEN grants the remote service access to any uploads you send.
Persistence & Privilege
always is false and the skill does not request persistent system privileges. The only notable privilege is that runtime instructions ask to read local files/paths for attribution; it does not request modification of other skills or system-wide settings.
What to consider before installing
This skill appears to implement a real cloud video-editing API, but there are two reasons to be cautious: (1) the skill asks the agent to read local config/install paths and the skill file's YAML frontmatter to build attribution headers — that filesystem access is unnecessary for editing and could expose local metadata; (2) the skill is from an unknown source with no homepage. Before installing or using it: (a) avoid uploading sensitive/private videos until you confirm the service's privacy policy and ownership; (b) prefer using the anonymous-token flow rather than setting a long-lived NEMO_TOKEN tied to an account with other rights; (c) ask the publisher why the skill needs to read ~/.config/nemovideo/ and detect install paths — that should be optional and explained; (d) if you have sensitive credentials or other secrets in your environment or in the indicated config paths, do not enable this skill until you can audit what it will read. If you want higher assurance, request the skill's source code or a homepage and a published privacy/security statement.

Like a lobster shell, security has layers — review code before you run it.

latestvk97093n65dd3hbcnxdzz1wa2q984kzxv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments