ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Editor Like Capcut

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — trim the footage, add transitions, and overlay background music — and get...

0· 37·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to be a cloud-based AI video editor and all API endpoints, headers, and flows in SKILL.md align with that purpose. However, the registry metadata shows no required config paths while the SKILL.md frontmatter lists ~/.config/nemovideo/ — an internal inconsistency. Also NEMO_TOKEN is declared as required, yet the instructions include an anonymous-token fallback flow, so requiring the env var as mandatory is misleading.
Instruction Scope
Instructions are narrowly scoped to interacting with the nemovideo.ai API: create a session, upload video files or URLs, stream SSE, poll renders, and return download URLs. They do not instruct reading unrelated system files or other credentials. Minor oddities: an instruction to auto-detect an install path for X-Skill-Platform (may not apply to an instruction-only skill), and the SKILL.md metadata references a config path that the runtime instructions never explicitly read.
Install Mechanism
No install spec and no code files — instruction-only. This is the lowest-risk install mechanism (nothing is written to disk by an installer).
Credentials
Only one credential is declared (NEMO_TOKEN), which is appropriate for a cloud service. However, the SKILL.md provides an anonymous token acquisition flow, making the 'required' label for NEMO_TOKEN questionable. The frontmatter's configPaths claim access to ~/.config/nemovideo/, which is not declared elsewhere in the registry metadata — this mismatch should be clarified.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It requires session/state tokens for its own operations only. Autonomous invocation is enabled (normal default) but not in combination with other high privileges.
What to consider before installing
This skill appears to implement a cloud video-editing workflow and will upload whatever videos you provide to mega-api-prod.nemovideo.ai. Before installing or using it: 1) Confirm the backend domain (nemovideo.ai) is trustworthy and acceptable for your content; do not upload private/sensitive footage until you verify data-retention and privacy policies. 2) Decide whether to supply your own NEMO_TOKEN or rely on the skill's anonymous-token flow — the skill declares NEMO_TOKEN as required but can fall back to an anonymous token, so ask the author to clarify. 3) Ask the publisher why the SKILL.md lists a local config path (~/.config/nemovideo/) when the registry shows none — that could indicate the skill expects to read local config. 4) If you need stricter guarantees, request the skill be published with a homepage/source and a privacy/terms link, or prefer an officially supported client.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bn450sr4w989m6bvdnpg9ss84s4b0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments