ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Video Best

v1.0.0

Turn a 2-minute promotional video clip into 1080p polished video files just by typing what you need. Whether it's getting professional-quality edits without...

0· 51·0 current·0 all-time
by@roca-677
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (cloud video editing) align with the runtime instructions (uploading videos, requesting renders, polling status) and the single required credential (NEMO_TOKEN). However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) for storing state, while the registry metadata reported no required config paths — this inconsistency deserves verification.
Instruction Scope
Instructions confine actions to the external video service (token acquisition, session creation, uploads, render/export endpoints). They do direct the agent to automatically obtain an anonymous token and start a connection on first open, generate/POST a client UUID, and store a session_id. The skill also infers platform/install path for an attribution header (implies reading install path). There are no instructions to read unrelated system files or other credentials.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code, which minimizes disk-write/install risk.
Credentials
Only NEMO_TOKEN is required and is appropriate for a hosted video service. The instructions include automatic anonymous token generation and an instruction to 'don't display raw API responses or token values to the user' — hiding secrets from the UI is normal, but combined with auto-creation and implicit storage it increases the need to confirm where the token/session are persisted and who controls them.
!
Persistence & Privilege
The skill instructs storing session_id for subsequent requests and the SKILL.md frontmatter lists ~/.config/nemovideo/ as a config path. Registry metadata did not declare required config paths. Persisting tokens/sessions on disk is reasonable for usability, but the mismatch and lack of explicit declaration is a concern: verify where tokens/sessions are written, whether they are encrypted, and whether the skill will create files under that path.
What to consider before installing
This skill appears to actually call an external video-processing service (mega-api-prod.nemovideo.ai) and will upload whatever videos you drop into the chat. Before installing: 1) confirm the service/domain is legitimate and has a privacy policy you accept (videos and audio will leave your machine); 2) ask how and where the anonymous token and session_id are stored (SKILL.md references ~/.config/nemovideo/ but registry metadata omitted config paths); 3) note the skill auto-creates a token and connects on first open — consider requiring explicit user consent before uploads or network connections; 4) if you need stricter control, request a version that asks for an externally-provided API key instead of auto-provisioning; and 5) avoid installing if you cannot verify the skill's origin/homepage or vendor identity.

Like a lobster shell, security has layers — review code before you run it.

latestvk974js95tdrxxw9vv11927nq6184mmvd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments