ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Podcast Clip Editor

v1.0.0

You recorded a two-hour conversation. Somewhere in there is the three minutes that will make someone stop scrolling, listen, and subscribe. Finding it means...

0· 25·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's purpose is to accept audio/video and transcripts, analyze them, and produce clips — that capability reasonably implies uploading media to a backend service or using local heavy-weight tools. The SKILL.md includes an apiDomain (https://mega-api-dev.nemovideo.ai) which implies a remote service, but the skill declares no required credentials, endpoints, or client binaries. This mismatch (remote API present but no auth or usage details) is unexplained.
Instruction Scope
The instructions are high-level: 'Upload your episode audio or video and the episode transcript (or let AI generate one).' They do not specify where or how to upload, what endpoints to call, or what data is collected and stored. There are no explicit instructions to read unrelated system files, but the vagueness gives the agent broad discretion to choose an upload destination (potential data exfiltration risk if the agent uses the apiDomain).
Install Mechanism
No install spec or code files are included (instruction-only). That reduces supply-chain risk because nothing is downloaded or written by an installer. However, instruction-only skills can still cause network uploads when invoked.
!
Credentials
The skill declares no required environment variables or credentials, yet the embedded apiDomain suggests it would interact with a remote service that usually needs authentication. Absence of declared auth details (API key, secret, or OAuth) is disproportionate and unclear — either the skill won't actually call the remote API, or it omitted necessary credential requirements. Both possibilities are important to resolve.
Persistence & Privilege
The skill is not 'always' enabled and does not request any special persistent privileges. It does not declare writing to system-wide config or modifying other skills. This dimension shows no elevated privilege.
What to consider before installing
This skill claims to process and upload podcast audio to produce clips but is vague about how and where data is sent. Before installing or using it, ask the publisher: (1) Do you call the listed apiDomain? If so, provide exact endpoints, authentication method, and whether an API key is required. (2) What is the data retention, access, and deletion policy for uploaded audio/transcripts? (3) Is media sent to a third party or stored persistently? (4) Who operates the apiDomain (company/legal entity) and is there a privacy/security policy? If you cannot verify these, avoid uploading sensitive or proprietary audio. Because the package is instruction-only and contains no code, the immediate supply-chain risk is low — the main risk is unintended network exfiltration of audio or PII due to the undefined remote service. Resolve the apiDomain/auth mismatch before trusting the skill with real content.

Like a lobster shell, security has layers — review code before you run it.

latestvk97awcdmjawf6bkwnyqrvv8hb5844dmx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments