ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Editor Google

v1.0.0

Get edited MP4 clips ready to post, without touching a single slider. Upload your raw video footage (MP4, MOV, AVI, WebM, up to 500MB), say something like "t...

0· 41·0 current·0 all-time
by@roca-677
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the runtime instructions: endpoints, upload, SSE, render/export flow and a single API credential (NEMO_TOKEN) are what an online video-editing integration would need. However the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) that is not referenced in the body and conflicts with the registry metadata that lists no required config paths — this inconsistency should be clarified.
!
Instruction Scope
The instructions explicitly tell the agent to obtain or reuse a NEMO_TOKEN, create sessions, upload user video files (up to 500MB), stream SSE, and poll render endpoints — all expected for cloud editing but they involve sending potentially sensitive user data to an external service (mega-api-prod.nemovideo.ai). The skill also asks the agent to 'auto-detect' an install path for X-Skill-Platform headers (which implies reading environment/paths) though it doesn't clearly limit what filesystem locations to read. The agent is instructed to generate tokens automatically if none exist; this automatic auth action and the upload behavior are privacy-sensitive and should be explicit to users.
Install Mechanism
No install spec or executable downloads are present; the skill is instruction-only, which keeps install-time risk low (nothing is written to disk by an installer).
Credentials
Only one credential is declared (NEMO_TOKEN) and that matches the described API usage. Minor concern: the frontmatter lists a config path (~/.config/nemovideo/) which the registry metadata did not list — it's unclear whether the skill expects to read local config files in addition to environment variables. The skill will also create or refresh an anonymous token and treat it as NEMO_TOKEN, which may result in credentials being stored or reused; users should understand where such tokens are persisted.
Persistence & Privilege
The skill does not request always: true and does not claim system-wide changes. Autonomous invocation is allowed (default) but not combined with elevated persistence flags — no elevated privilege concerns from the provided metadata.
What to consider before installing
This skill uploads your raw video files and (if no token is present) will call an external auth endpoint to create a NEMO_TOKEN for use with nemovideo.ai. Before installing, confirm you trust mega-api-prod.nemovideo.ai and the skill author, and understand that your videos will be sent to that cloud service. Ask the author to clarify the metadata mismatch about ~/.config/nemovideo/ (does the skill read local config files?), and confirm where anonymous tokens are stored and for how long. If you require stricter privacy, only use this skill with non-sensitive footage or after verifying the service's privacy policy and account handling.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dmb0ta462b7gc52he7qmxxs84ssqy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments