ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Editing Ai Software

v1.0.0

edit raw video footage into edited video clips with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators and marketers use it for a...

0· 56·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (cloud video editing) aligns with the runtime instructions: it makes API calls, uploads video files, creates sessions, and requires a service token (NEMO_TOKEN). Requesting a service token for a remote video-rendering backend is coherent with the stated purpose.
Instruction Scope
Instructions focus on contacting the remote API, creating a session, uploading files, streaming server-sent events, and exporting results — all within the skill's remit. Two notable behaviors: (1) the skill instructs automatically connecting to the backend on first open (network activity may occur without explicit user action), and (2) it tells the agent to read this file's YAML frontmatter and to detect install paths to set attribution headers (requires filesystem access to the skill file/agent install location). These actions are explainable but worth surfacing to users.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest installation risk from this vector. Nothing is downloaded or written by an installer in the metadata provided.
!
Credentials
Declared primary credential (NEMO_TOKEN) is appropriate for a third-party API. However, SKILL.md frontmatter lists a configPaths requirement (~/.config/nemovideo/) while the registry metadata earlier reported no required config paths — this inconsistency is unexplained. Also, the skill will upload user video files to an external domain (mega-api-prod.nemovideo.ai), which has privacy implications; ensure the token and uploads are acceptable to you before use.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It only describes ephemeral session tokens and in-memory session IDs; no persistent installation or cross-skill config modifications are described.
What to consider before installing
This skill appears to be a cloud-based video editor that uploads your files to mega-api-prod.nemovideo.ai and uses a NEMO_TOKEN for authentication — that is consistent with its stated purpose, but exercise caution: (1) the package has no homepage or verifiable publisher listed — that's a trust signal to check; (2) SKILL.md and registry metadata disagree about required config paths (~/.config/nemovideo/ is mentioned in the file but not in registry fields) — ask the publisher which is correct; (3) the skill will automatically contact the backend on first use and can upload videos — do not upload sensitive or private footage until you confirm the service's privacy policy and ownership; (4) prefer creating or providing your own token rather than relying on the skill to auto-generate/store credentials if you have concerns about persistence; (5) if you still want to try it, test first with non-sensitive sample videos and verify returned download URLs and headers are what you expect. If you need higher assurance, request a reputable homepage, documentation, or publisher contact before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk975gbkfqfr9evhjxbywx02mcd84mhc2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments