ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Linkedin Video Editor

v1.0.4

LinkedIn Video Editor — Edit Professional LinkedIn Videos and Thought Leadership. A text post reaches your followers. A native LinkedIn video reaches their...

0· 147·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with a video-editing service and the single required env var (NEMO_TOKEN) is consistent with using an external NemoVideo API. However the SKILL.md metadata includes a configPaths entry (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch is unexplained and worth clarifying.
!
Instruction Scope
SKILL.md is primarily marketing text and contains only metadata (homepage, repository, apiDomain) rather than explicit runtime instructions. It does not specify exactly which local files will be read, how uploads are authorized, or what data is sent to apiDomain. That vagueness means an agent could end up uploading user-supplied videos or reading the listed config path without clear limits.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest-risk install mechanism.
!
Credentials
Requesting NEMO_TOKEN as the primary credential is proportionate for a service-backed editor. But the SKILL.md metadata's configPaths entry suggests the skill may read a local config directory (~/.config/nemovideo/) which could contain other secrets or tokens; the registry metadata contradicts that. The required env/config access should be clarified and minimized.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does not claim persistent/system-wide changes; no elevated persistence is requested.
What to consider before installing
This appears to be a legitimate NemoVideo integration but there are two things to check before installing: (1) Confirm whether the skill will read ~/.config/nemovideo/ (the SKILL.md metadata lists it but the registry metadata does not). Reading that directory could expose other local tokens/config. (2) Confirm exactly what data is uploaded to the external apiDomain (mega-api-prod.nemovideo.ai): video files, metadata, transcripts, etc., and whether NEMO_TOKEN can be scoped/rotated. If you proceed, use a least-privilege token pinned to this service, test with non-sensitive files first, and ask the publisher for explicit runtime docs that describe exactly which files are read and what is sent to the API.

Like a lobster shell, security has layers — review code before you run it.

latestvk970ygqgys0memr2c8v2zt28bn83xqgr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💼 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments