ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Ai Video Editor

v1.1.0

Edit videos with AI for free — trim, cut, merge, add captions, background music, transitions, color grading, text overlays, slow motion, and export without w...

0· 156·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md describe an online AI video editing service and the included example curl uses an Authorization: Bearer $NEMO_TOKEN to call an API (mega-api-prod.nemovideo.ai), which is coherent with the stated purpose. However, the registry metadata lists a config path (~/.config/nemovideo/) even though the skill is instruction-only and declares no required env vars — that config path is not justified by the prose and looks unnecessary or inconsistent.
!
Instruction Scope
The SKILL.md stays on-topic: uploading videos, describing edits, and POSTing a generate request to the vendor API. It does not instruct reading arbitrary system files. But there is a mismatch between the declared primary credential (NEMO_TOKEN) and requires.env (empty), and the metadata's configPaths suggests possible local configuration access; those inconsistencies are scope creep and should be clarified. The SKILL.md also references an external API domain that has no linked homepage or source — provenance is missing.
Install Mechanism
No install spec and no code files are present (instruction-only). This is the lowest-risk install mechanism because nothing is downloaded or written by the skill itself.
!
Credentials
Requesting a single primary credential (NEMO_TOKEN) is proportionate for a hosted API-driven editor. However, requires.env is empty despite primaryEnv being set, and the presence of ~/.config/nemovideo/ in metadata is unexplained. Also there is no mention of minimum token scope, rotation, or whether the token is stored or transmitted elsewhere — this uncertainty increases risk when you must supply a secret.
Persistence & Privilege
The skill does not request always:true and has no install behavior; it won't force permanent inclusion or create binaries. Autonomous invocation is allowed by default (platform normal), but nothing in the skill grants elevated system privileges.
What to consider before installing
This skill appears to be an instruction-only wrapper for a NemoVideo API and needs a NEMO_TOKEN. Before installing: (1) verify the vendor and domain (nemovideo.ai / mega-api-prod.nemovideo.ai) and try to find an official homepage or privacy policy — none is provided in the registry metadata; (2) do not reuse a high-privilege or long-lived secret—create a token scoped only for this service and that can be rotated; (3) avoid uploading sensitive or private videos until you confirm the service's retention and privacy practices; (4) ask the publisher why requires.env is empty while primaryEnv is set and why a local config path is declared — unexplained metadata is a red flag; (5) test with non-sensitive sample videos first. If you cannot verify the service provenance and token handling, treat the skill as untrusted and do not supply real credentials or private content.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cq3sxh1xzjccgj9mrnhd7rd83rz07

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🆓 Clawdis
Primary envNEMO_TOKEN

Comments