ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Wedding Video Editor

v1.0.0

You filmed eight hours of footage across two cameras, a drone, and three iPhones. The ceremony is buried in hour three. The first dance is split across four...

0· 28·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description promises multi-camera sync, audio replacement, color grading and large-file uploads/processing, but the skill declares no required binaries (e.g., ffmpeg), no dependencies, and no required credentials. A real service doing this would typically require either local tools or an authenticated API and explicit upload instructions; the absence of those is inconsistent with the stated capabilities.
!
Instruction Scope
The SKILL.md instructs users to 'Upload your raw wedding footage' and to provide personal descriptions of the couple, which implies transmitting large, sensitive personal video to an external service. However it gives no runtime steps, no guidance on where uploads go beyond a front-matter apiDomain, no consent/data-retention details, and no limits on what to collect — leaving wide latitude for exfiltration of private data.
Install Mechanism
No install spec or code files are present (lowest disk-write risk). That said, the skill references an apiDomain (https://mega-api-dev.nemovideo.ai) implying remote processing; because there is no declared auth or vetted release host, network calls to an external service are the primary risk vector.
!
Credentials
The skill declares no required environment variables or credentials despite indicating use of an external API (apiDomain). It's unusual for a remote processing service to require zero credentials or configuration; lack of declared auth is disproportionate to expected needs and masks how/where sensitive videos are sent.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always is false, no config paths), so it does not demand permanent agent-level presence. The primary concern is data transmission, not privilege escalation.
What to consider before installing
Do not upload real wedding footage until you verify the service. Ask the publisher: (1) Who owns/operates https://mega-api-dev.nemovideo.ai and is that a production endpoint (the 'dev' subdomain is suspicious)? (2) Where will uploaded videos be stored, for how long, and who can access them? (3) Is an API key required and why isn't it declared? (4) Do they support local/offline processing or self-hosting to avoid sending private footage offsite? (5) Is transport encrypted and is there a data deletion policy and GDPR/CCPA compliance? If you must test, use non-sensitive sample clips first. Prefer a skill that documents authentication, data retention, and provides code or a vetted production endpoint before sending private videos.

Like a lobster shell, security has layers — review code before you run it.

latestvk971bbz051dvqzv4zswmnd1vmx8445q4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments