ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Trimmer Free Download

v1.0.3

ClawHub's video-trimmer-free-download skill lets you trim video clips through a simple chat conversation — no software installation, no subscription wall. Sp...

0· 63·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (video trimming via a cloud API) matches the SKILL.md instructions to upload, trim, and export via https://mega-api-prod.nemovideo.ai. One inconsistency: the registry metadata lists NEMO_TOKEN as required, but SKILL.md documents that NEMO_TOKEN is optional and can be auto-generated via an anonymous-token endpoint. This looks like a documentation/metadata mismatch rather than malicious behavior.
Instruction Scope
Runtime instructions are limited to: greeting the user, uploading/processing video via the nemovideo API, and reading/writing a small client_id to ~/.config/nemovideo/client_id for rate-limit persistence. The skill tells the agent to call the service's API endpoints; it does not instruct broad filesystem scans or exfiltrate unrelated data. Note: it does instruct writing a file in the user's home directory and persisting an anonymous token for the session.
Install Mechanism
There is no install spec and no code files (instruction-only). That minimizes installation risk — nothing is downloaded or extracted to disk beyond the small client_id file the SKILL.md instructs to create.
Credentials
The primary credential is NEMO_TOKEN, which is appropriate for a service-backed trimming skill. SKILL.md, however, documents that an anonymous token can be created if no token is set (so NEMO_TOKEN is effectively optional). The skill also documents additional non-secret env vars (API/WEB URL, client id). This is proportionate, but the metadata/README mismatch should be clarified. Also be mindful not to reuse a privileged token (e.g., your personal API key for other services) when the skill requests NEMO_TOKEN.
Persistence & Privilege
The skill does persist a small UUID to ~/.config/nemovideo/client_id to avoid creating many anonymous tokens; this is scoped to a single file in the user's home directory and is consistent with the stated need (rate-limiting). The skill does not request system-wide privileges or modify other skills, and 'always' is false.
Assessment
This skill appears to do what it says: it calls nemovideo's API to trim videos and will create a small local file (~/.config/nemovideo/client_id) to persist a generated client ID and optionally obtain a short-lived anonymous token. Before installing, consider: 1) If you prefer not to have any file written, delete or block ~/.config/nemovideo after use; 2) If you already have an API token, don't paste a token that belongs to other services or with broad privileges — only provide a NEMO_TOKEN for this service; 3) Confirm the API domain (mega-api-prod.nemovideo.ai) and homepage (nemovideo.com) are what you expect; 4) If you want absolute privacy, avoid using the cloud service and instead use a local video tool. The only real discrepancy is that the registry metadata marks NEMO_TOKEN as required while the SKILL.md supports auto-generating an anonymous token — ask the publisher to clarify that behavior if it matters to you.

Like a lobster shell, security has layers — review code before you run it.

latestvk979mk6b1cx8hzbtz2px3ner1s83s6kb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments