Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Video Editor Banana
v1.0.0edit raw video footage into edited video clips with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. food content creators use it for editing sh...
⭐ 0· 19·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (AI video editing) aligns with the actions in SKILL.md: session creation, upload, SSE-based edits, and export via a cloud API. Requiring a NEMO_TOKEN and including API endpoints for uploads/exports is coherent. However, SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — an inconsistency in declared requirements. Also the SKILL.md asks to auto-detect an install path to populate X-Skill-Platform, but the skill has no install spec, so that auto-detection may be impossible or require reading runtime/install paths.
Instruction Scope
The runtime instructions direct the agent to connect to an external service (https://mega-api-prod.nemovideo.ai), create or use a bearer token, upload video files, and poll for export URLs — all expected for a cloud editor. Concerns: (1) the instructions require adding attribution headers on every request and auto-detecting platform/install path (may require filesystem or environment introspection not declared in the registry); (2) SKILL.md frontmatter references a config path which is not declared elsewhere; (3) there is no publisher/source or homepage to validate the external API domain. The skill does not instruct reading unrelated local secrets, but it will transmit user videos and metadata to the remote service.
Install Mechanism
No install spec and no code files — instruction-only — which is lower risk because nothing is written to disk by a packaged installer. The agent will only make network calls as described in SKILL.md.
Credentials
Only NEMO_TOKEN is required (declared as primary credential), which is proportionate for a cloud API. The SKILL.md also describes obtaining an anonymous token if NEMO_TOKEN is absent. Caveats: providing a long-lived NEMO_TOKEN (set as an env var) grants the skill ongoing API access to upload and manage jobs; users should prefer the ephemeral anonymous-token flow if they do not trust the service. The config-path mentioned in the frontmatter (but not in registry metadata) is unexplained.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It is instruction-only and does not request permission to modify other skills or system-wide settings. Saving session_id in memory for workflow is normal and expected.
What to consider before installing
This skill will upload any video and related metadata you provide to https://mega-api-prod.nemovideo.ai and requires a bearer token (NEMO_TOKEN) to operate. Before installing, consider: 1) There is no homepage or source URL to verify the publisher or service; confirm the domain and privacy policy elsewhere. 2) The SKILL.md frontmatter references a config path (~/.config/nemovideo/) that the registry did not declare — ask the publisher whether the skill will read or write that path. 3) Prefer the anonymous-token flow for one-off usage; avoid setting a long-lived NEMO_TOKEN env var unless you trust the service. 4) Do not upload sensitive or private footage unless you’ve verified the vendor’s policies and provenance. If you need more assurance, request the skill author/publisher info, a code repo, or documentation and a published API reference before enabling the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk973n6p835zzm9csgqrwq6q45h84yqq8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🍌 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN