ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Podcast Video Camera

v1.0.0

Get polished podcast videos ready to post, without touching a single slider. Upload your raw footage (MP4, MOV, AVI, WebM, up to 500MB), say something like "...

0· 42·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with instructions: cloud GPU-based AI video editing that uploads media and returns processed files. Requesting a single service token (NEMO_TOKEN) is reasonable for this purpose. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata stated no required config paths — this mismatch is unexpected and should be clarified.
Instruction Scope
Runtime instructions stay within the editing use case (obtain/use a NEMO_TOKEN, create session, upload video, poll render status, download output). They direct the agent to POST user files and use SSE for streaming, which is appropriate for a cloud edit service. A minor scope creep: the skill asks to auto-detect 'X-Skill-Platform' from the install path, which implies reading the agent's install path or environment — not strictly necessary for editing and worth confirming.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by an installer. This is the lowest-risk install model.
Credentials
Only one credential is requested (NEMO_TOKEN), which is reasonable. The SKILL.md will auto-acquire an anonymous token if none is provided, so user secrets are not required. However, the frontmatter's configPaths entry (~/.config/nemovideo/) suggests the skill may try to read a local config directory (contradicting registry data). That could expose local files if true — ask whether that path is actually accessed and why.
Persistence & Privilege
Skill does not request 'always: true' and has no install actions that persist on disk. Autonomous invocation is allowed (platform default) but there is no elevated persistence or modification of other skills.
What to consider before installing
This skill appears to be a cloud-based video-editing front end that uploads your media to nemovideo.ai and returns edited files. Before using it, confirm: 1) The service domain (mega-api-prod.nemovideo.ai) is the official provider you expect and its privacy/retention policy is acceptable for your content, since your media will be uploaded off-device. 2) Whether the skill actually reads the suggested local config path (~/.config/nemovideo/) or the agent install path — if so, ask what data is read and why. 3) That no other sensitive credentials (AWS, GitHub, etc.) are required — the skill only needs NEMO_TOKEN and can create an anonymous token if you prefer not to supply one. Note that this is an instruction-only skill with no code for static scanning; absence of scan findings does not guarantee safety. If you need stronger guarantees, request the skill owner/source, a privacy/terms link, or an implementation that runs locally instead of uploading data to a remote API.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fp96zzw870cdk9sp4m1bz9d84qdxs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎙️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments