ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Online Highlight Editor

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — extract the best moments and compile them into a 2-minute highlight reel —...

0· 55·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared primary credential (NEMO_TOKEN) and the SKILL.md endpoints are coherent with an online video-processing backend. However, the SKILL.md frontmatter lists a required config path (~/.config/nemovideo/) that is not reflected in the registry metadata summary, and there is no source URL or homepage to verify the provider—this mismatch and lack of provenance is unexplained.
!
Instruction Scope
Runtime instructions include uploading user video files (multipart or by URL) to https://mega-api-prod.nemovideo.ai, creating sessions, and streaming SSE responses. That is expected for the stated purpose, but it means full media files are transmitted to a third party. Instructions also describe creating anonymous tokens via an API if NEMO_TOKEN is absent. The skill does not explicitly instruct the agent to read unrelated local files, but the upload pattern expects reading local file paths supplied by the user.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes on-disk code risk because nothing is downloaded or installed by the skill itself.
!
Credentials
Only NEMO_TOKEN is declared as required, which is appropriate for a hosted service. However the SKILL.md frontmatter references a config path (~/.config/nemovideo/) that could expose more local configuration if used; the registry metadata earlier listed no config paths, creating an unexplained inconsistency. Also, the skill will generate and use anonymous tokens if none are present, which is convenient but means the agent may obtain credentials on the user's behalf and use them to upload data.
Persistence & Privilege
always:false and no persistent installation. The skill keeps session_id state for interactions with the service (normal). It does not request system-wide privileges or declare modifications to other skills.
What to consider before installing
This skill appears to do what it says (remote highlight extraction) but exercises caution: 1) The provider is not verifiable (no homepage/source) — that increases privacy risk. 2) Using the skill will upload your raw videos to https://mega-api-prod.nemovideo.ai (a third party). Do not upload sensitive or private footage until you confirm the service and its privacy/security practices. 3) The SKILL.md mentions a config path (~/.config/nemovideo/) that isn't declared elsewhere — ask the author whether the skill will read local config files and why. 4) If you do try it, prefer providing a throwaway/limited token or use the anonymous flow and test with non-sensitive sample videos first. 5) If you need higher assurance, ask for the skill's source code or an official homepage and privacy policy before enabling it.

Like a lobster shell, security has layers — review code before you run it.

latestvk973dsv7rcttknw0g4n0xm39j184n079

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments