ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Editing With Free

v1.0.0

Cloud-based video-editing-with-free tool that handles editing videos for free without installing software. Upload MP4, MOV, AVI, WebM files (up to 500MB), de...

0· 56·0 current·0 all-time
by@roca-677
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description describe a cloud video editing service and the SKILL.md contains API endpoints and upload/export flows that match that purpose. Requiring a service token (NEMO_TOKEN) is reasonable. However, the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — that mismatch is unexplained and unnecessary for a purely cloud API client.
Instruction Scope
Runtime instructions confine most actions to the external API (session creation, SSE, upload, render polling). They also instruct generation of an anonymous token if NEMO_TOKEN is missing and describe uploading files via multipart using local file paths. That file-upload behavior is expected for a video uploader, but it means the agent will need access to user-supplied files and may be instructed to read paths. The directive to auto-detect X-Skill-Platform from an install path is vague (no install exists) and could prompt the agent to examine filesystem/install locations unnecessarily.
Install Mechanism
There is no install spec and no code files; this is instruction-only, so nothing is written to disk by the skill itself. Low installation risk.
!
Credentials
The skill declares a single primary credential (NEMO_TOKEN), which fits a cloud API client. But SKILL.md also instructs how to obtain an anonymous token by calling the API if the env var is absent — making the token optional. The frontmatter's inclusion of a config path (~/.config/nemovideo/) is unexplained and suggests potential access to local config not required by the registry metadata. Overall, the env/credential needs are plausible but the inconsistencies are concerning.
Persistence & Privilege
always is false, no install, no modifications of other skills or system-wide settings. The skill can be invoked autonomously (normal default) but it does not request elevated persistent privileges.
What to consider before installing
This skill appears to be a cloud video-editor that uploads your files to mega-api-prod.nemovideo.ai and uses a token named NEMO_TOKEN. Before installing, consider: (1) Privacy — uploaded videos (and their audio) will be sent to an external service; do not upload sensitive content. (2) Credential handling — the registry claims NEMO_TOKEN is required but the skill can also fetch an anonymous token; ask the publisher which behavior is expected and how tokens are stored/rotated. (3) Config path mismatch — SKILL.md mentions ~/.config/nemovideo/ even though registry metadata lists none; confirm why local config would be accessed. (4) Confirm the service domain and read its privacy/terms; if you cannot verify the publisher or domain, avoid uploading private videos. If you want higher assurance, request an explicit install spec, a publisher homepage, or code that shows exactly how tokens and uploads are handled.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fk8sh7c09mzqmrxgc851j6x84nzgn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments