Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Editor Canva
v1.0.0Turn a 30-second product clip or five branded images into 1080p edited branded videos just by typing what you need. Whether it's creating polished social med...
⭐ 0· 38·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (cloud video editing via nemo API) matches the API endpoints and flows in SKILL.md. However, the registry metadata lists NEMO_TOKEN as a required environment variable while the runtime instructions explicitly provide an anonymous-token flow when NEMO_TOKEN is not set. Also the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that the registry listing did not — these mismatches suggest the declared requirements are inaccurate or out of date.
Instruction Scope
Runtime instructions direct the agent to create sessions, upload local files (multipart -F 'files=@/path' or via URL), stream SSE messages, poll render status, and include auth/attribution headers on every request. Uploading user-supplied media to the vendor's API is expected for a cloud renderer, but it is a sensitive operation because files leave the user's environment. The instructions do not ask the agent to read unrelated system files or other credentials.
Install Mechanism
No install spec or downloaded code is present; this is an instruction-only skill. That lowers risk compared with an installable package or binary.
Credentials
Only one credential (NEMO_TOKEN) is declared as primary, which is appropriate for the described API. However, the SKILL.md supports anonymous token generation when NEMO_TOKEN is missing, so declaring NEMO_TOKEN as strictly required is inconsistent. No other unrelated secrets are requested.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform-wide privileges. It will persist session_id state for rendering jobs, which is reasonable for a job-based cloud service and confined to the skill's own workflow.
What to consider before installing
This skill will upload your videos/images to the nemo backend (https://mega-api-prod.nemovideo.ai) for server-side rendering. Before installing: 1) Confirm you trust that external service and are comfortable with those files leaving your machine. 2) Note the registry claims NEMO_TOKEN is required, but the skill can generate an anonymous short-lived token — decide whether you want to provide a permanent NEMO_TOKEN. 3) Ask the publisher (or check documentation) about data retention, privacy, and whether uploads are encrypted in transit and at rest. 4) Because the skill is instruction-only and from an unknown source, avoid supplying sensitive files or credentials to it. If you need this functionality but want clearer declarations, request the publisher fix the mismatched metadata (required env/configPaths vs. actual runtime behavior).Like a lobster shell, security has layers — review code before you run it.
latestvk971574cd3t4cfx0caf88676d584pabe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎨 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN