ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Best Video Maker Ai

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — turn my clips into a polished promo video with music and transitions — and...

0· 53·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (remote AI video rendering) align with the runtime instructions: uploading video files and calling mega-api-prod.nemovideo.ai endpoints. The required env var NEMO_TOKEN is appropriate as the primary credential. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch is unexplained and worth clarifying.
Instruction Scope
Instructions stay within the stated purpose (session management, SSE edits, upload, export). They explicitly tell the agent to obtain an anonymous token if no NEMO_TOKEN is present, start a session, upload user video files, and poll for exports — all expected for a cloud render service. Points to watch: instructions require saving session_id and token state (where/how to persist is unspecified), and they ask the agent to 'auto-detect' an install path to set X-Skill-Platform header (unclear whether that will prompt reading local install paths or filesystem probing). The skill also encourages uploading potentially sensitive video/audio to a third-party domain — this is expected functionality but has privacy implications.
Install Mechanism
No install spec and no code files (instruction-only). This is lower risk because nothing is being downloaded or written by an installer. All runtime behavior is API calls described in SKILL.md.
Credentials
Only one environment variable is required (NEMO_TOKEN), which is proportionate for a remote API. The frontmatter's mention of a config path (~/.config/nemovideo/) is inconsistent with the registry metadata (which lists none) — if the skill will read that path it should be declared. No other unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true and uses normal autonomous invocation defaults. It instructs saving session_id and possibly storing generated anonymous tokens (100-credit, 7-day tokens) — this persistent credential storage is reasonable for a session-based service but should be explicit about where/how tokens/session IDs are stored and how to clear them.
What to consider before installing
This skill appears to do what it says: upload your media to a remote rendering service and return edited videos. Before installing, verify these points: 1) Confirm you trust the domain mega-api-prod.nemovideo.ai and are comfortable uploading your videos to it (privacy risk). 2) Ask the publisher to explain the config path discrepancy (~/.config/nemovideo/ present in SKILL.md frontmatter but not in registry metadata) — clarify whether the skill will read local config files. 3) Clarify how and where session IDs and anonymous tokens are stored and how to revoke them. 4) Be aware the skill will include custom headers that require detecting an install path (ask what filesystem access this detection needs). If you cannot verify the source (homepage/source unknown), consider not installing or running it in a restricted environment until those questions are answered.

Like a lobster shell, security has layers — review code before you run it.

latestvk97drvn1a5fs5aw6mv23vrhsyx84n6am

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments