ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Test Udnerc

v1.0.0

Get processed test video ready to post, without touching a single slider. Upload your raw video footage (MP4, MOV, AVI, WebM, up to 500MB), say something lik...

0· 57·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, endpoints and actions all align with a cloud video-processing skill. Requesting a NEMO_TOKEN credential is expected. However, the SKILL.md metadata references a config path (~/.config/nemovideo/) for storage even though the skill registry metadata listed no required config paths — that's an internal inconsistency and suggests the skill intends to persist state on disk.
Instruction Scope
Instructions remain within video-processing scope (create session, upload video, poll export, read SSE). They explicitly instruct generating an anonymous token if NEMO_TOKEN is absent and storing session_id for subsequent calls. This means the agent will contact an external domain and upload user-provided video files; that is expected for this service but is notable: user content and tokens will be sent off-host. The doc also instructs the agent not to display raw API responses or tokens to users, which limits visibility into what is being stored/transmitted.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an installer step described in the registry.
!
Credentials
The only declared environment credential is NEMO_TOKEN (primaryEnv), which is reasonable. However, SKILL.md metadata includes a config path (~/.config/nemovideo/) and the instructions instruct generating and storing anonymous tokens/session IDs if NEMO_TOKEN is missing. The registry did not declare config path requirements earlier — mismatch. Persisting tokens/session state to disk without declaring it is disproportionate to what was advertised and reduces transparency.
Persistence & Privilege
always:false and no autonomous-invocation override — ordinary. But the skill's instructions explicitly create and persist anonymous tokens and session IDs and reference a user config directory; this implies on-disk persistence of credentials and job state. That persistence is not announced in the registry metadata and could be surprising to users.
What to consider before installing
This skill appears to truly be a cloud video test-render helper, but it will upload any video you give it to https://mega-api-prod.nemovideo.ai and will generate or use a NEMO_TOKEN for authorization. Before using/installing: (1) Be aware that your videos and a session token may be sent to and stored by an external service. (2) The SKILL.md references writing/reading ~/.config/nemovideo/ but the registry didn't declare that — ask the publisher where session/tokens are stored and whether they are kept on disk. (3) If you want more control, set your own NEMO_TOKEN rather than letting the skill auto-create one, and avoid uploading sensitive content until you verify the service/privacy policy. (4) Because the skill's source/homepage is unknown, prefer caution: confirm the service domain and privacy/security practices or only use test/non-sensitive footage.

Like a lobster shell, security has layers — review code before you run it.

latestvk975xnh4hmtvy7avha7acy623d84nsj4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments