ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Screen Recorder Free

v1.0.2

screen-recorder-free is a ClawHub skill that lets you capture, trim, annotate, and export screen recordings without installing any software. Record browser t...

0· 63·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to capture/edit/export screen recordings and all network calls in SKILL.md point to nemovideo's API (expected). However the registry metadata says NEMO_TOKEN is required, while SKILL.md's table marks NEMO_TOKEN as optional (auto-generated anonymous token). Also SKILL.md lists a config path (~/.config/nemovideo/) in its frontmatter but the registry metadata showed no required config paths — this mismatch between metadata and the instructions should be clarified with the publisher.
!
Instruction Scope
Instructions require uploading user video/files and sending them to https://mega-api-prod.nemovideo.ai (expected for remote processing). The skill persists a client_id to ~/.config/nemovideo/client_id and will derive SKILL_SOURCE from the skill file path if not provided — that means the agent may send install-path/platform information to the API via X-Skill-Platform, which could leak local path or platform details. The skill otherwise does not instruct reading unrelated secrets or system files.
Install Mechanism
No install spec and no code files — this is instruction-only and does not write additional binaries to disk beyond the documented client_id file. Instruction-only skills are lower-risk from an install perspective.
Credentials
The skill's main credential is NEMO_TOKEN which is appropriate for a cloud-based service. SKILL.md also documents optional env vars (NEMO_API_URL, NEMO_WEB_URL, NEMO_CLIENT_ID) and a client-id persisted locally. Requiring a token to use a remote editor is proportional, but the metadata inconsistency about whether NEMO_TOKEN is required vs optional should be resolved. The skill writes one small file (UUID) to ~/.config/nemovideo/ — not a secret but persistent.
Persistence & Privilege
The skill does not request always: true and only persists a single client_id file under the skill's own config directory. It does not request system-wide configuration changes or access to other skills' settings.
What to consider before installing
This skill uses a remote API (nemovideo) to process recordings and will upload your video and metadata to that service. Before installing: (1) Confirm you are comfortable with third-party processing of any screen recordings (do not upload sensitive content). (2) Note the skill may auto-generate an anonymous NEMO_TOKEN and will write ~/.config/nemovideo/client_id (UUID) to persist rate-limit identity — revoke tokens via nemovideo.com when no longer needed. (3) The runtime may derive SKILL_SOURCE from the skill file path and send it in request headers (X-Skill-Platform), which can reveal install path/platform info; you can avoid this by setting SKILL_SOURCE explicitly or not using this skill in sensitive environments. (4) There are small metadata inconsistencies (registry says NEMO_TOKEN required and no configPaths, SKILL.md says token optional and documents a config path) — ask the maintainer to clarify. If you proceed, limit use to non-sensitive recordings, consider using a disposable account/token, and review nemovideo's privacy/terms for retention and sharing policies.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dkt2j0qtewmn99y4d7p7ned83rmrs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖥️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments