ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Video Trimmer

v1.0.6

ClawHub's free-video-trimmer skill lets you trim video clips to exact timestamps through a simple chat interface — no software downloads, no timelines to dra...

0· 99·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (trim videos through Nemovideo) matches the instructions (upload video, call nemovideo endpoints). However the registry metadata and the SKILL.md disagree: registry lists NEMO_TOKEN as a required env var and 'no config paths', while SKILL.md declares NEMO_TOKEN optional (auto-generate) and includes a config path (~/.config/nemovideo/). This metadata mismatch is inconsistent and worth confirming with the author.
Instruction Scope
Runtime instructions instruct the agent to upload user videos to https://mega-api-prod.nemovideo.ai and to read/write ~/.config/nemovideo/client_id (UUID only). They also describe detecting install path/skill source from local file paths. Uploading user media to the vendor's API is expected for this skill, but the file-system access (reading/writing ~/.config and probing install paths) extends beyond pure in-chat text processing and should be noted.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is downloaded or written to disk by an installer. The only local persistence described is the skill writing a client_id UUID to ~/.config/nemovideo/client_id, which is standard for a client identifier.
Credentials
Only one credential is involved (NEMO_TOKEN). That is appropriate for an API-based video trimming service. But there's an inconsistency: registry metadata marks NEMO_TOKEN as required, while the SKILL.md states it will be auto-generated if absent. The skill also suggests setting optional NEMO_API_URL/NEMO_WEB_URL and persisting a CLIENT_ID. No unrelated credentials are requested.
Persistence & Privilege
The skill does persist a client_id in ~/.config/nemovideo/client_id (UUID only). It does not request permanent 'always-on' privilege and does not attempt to modify other skills or system-wide agent config. Autonomous invocation is allowed (platform default) but not combined with high privileges here.
What to consider before installing
This skill appears to be a front end for the Nemovideo API and will upload user videos to an external service and persist a UUID to ~/.config/nemovideo/client_id. Before installing: (1) confirm the mismatch between registry metadata and SKILL.md about whether NEMO_TOKEN is required or auto-generated, (2) verify you are comfortable uploading the videos you will trim to https://mega-api-prod.nemovideo.ai / nemovideo.com and review that service's privacy/terms, (3) be aware the skill will write a small client_id file to your home config directory, and (4) if source/owner is unknown, prefer not to send sensitive videos or credentials until you can confirm the publisher. If you need higher assurance, ask the author to reconcile the metadata and provide a verified repository or signed release.

Like a lobster shell, security has layers — review code before you run it.

latestvk978g5n1t4v1g67hqqmf0714v983x34r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments