ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Video Editor

v2.0.0

Edit and optimize videos for YouTube with AI — create retention-maximizing content with hook-first intros, zoom-cut talking head edits, chapter markers, end...

0· 102·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (YouTube video editing) align with the instructions in SKILL.md: it describes automated edits, zoom-cuts, chapters, thumbnail extraction, etc. Requesting a service token (NEMO_TOKEN) and a NemoVideo config path is consistent with a cloud editor.
Instruction Scope
SKILL.md implicitly operates on user media and configuration (mentions ~/.config/nemovideo/ and a primary token). That is expected for a cloud editing service, but the instructions (as provided) will result in uploading raw footage and user config to an external/third-party service — the SKILL.md does not include provenance or explicit endpoint/privacy details in the metadata.
Install Mechanism
Instruction-only skill with no install spec and no code files. Low installation risk because nothing is written to disk by the skill itself beyond reading the optional config path.
!
Credentials
Registry metadata shows no required env vars but the SKILL.md metadata declares a primaryEnv (NEMO_TOKEN) and a config path (~/.config/nemovideo/). That is roughly proportionate for an API-based editor, but the inconsistency (required env vars listed as none while primaryEnv exists) and the request to access a user config directory that may contain tokens/config are notable and should be verified. No other env vars are declared, which is appropriate, but the skill will need credentials to upload/process media.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. Nothing requests permanent system-wide presence or modification of other skills. Autonomous invocation combined with external uploads increases importance of trusting the service.
What to consider before installing
This skill is coherent with a cloud-based AI video editor, but take these precautions before installing: 1) Ask the publisher for the service homepage, privacy policy, and exact endpoints the skill will upload media to (none are provided). 2) Verify what NEMO_TOKEN represents and create a scoped/test token (not your primary credentials). 3) Inspect ~/.config/nemovideo/ before installation and remove/backup any sensitive files; prefer creating a dedicated account for the skill. 4) Do a test run with non-sensitive footage first. 5) If you cannot verify the vendor or privacy practices, avoid uploading sensitive or proprietary video. 6) Consider disabling autonomous invocation (or require explicit user confirmation before uploads) until you trust the service. If you can provide the full SKILL.md (untruncated) or the service homepage, I can reassess with higher confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d84zvhs8n0qwbfk1jm8dyfd83rchz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

▶️ Clawdis
Primary envNEMO_TOKEN

Comments