ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Descript Ai

v1.0.0

podcasters and content creators edit raw video footage into edited polished videos using this skill. Accepts MP4, MOV, WAV, MP3 up to 500MB, renders on cloud...

0· 58·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to perform cloud video editing (transcript-driven edits, uploads, exports) and its API calls, SSE workflow, and file formats line up with that purpose. However the skill is named "Descript Ai" while all endpoints use mega-api-prod.nemovideo.ai (a different domain), which is a branding/domain mismatch that could indicate mislabeling or impersonation. Also the SKILL.md frontmatter requests a config path (~/.config/nemovideo/) while the registry metadata listed none — an inconsistency in declared scope.
Instruction Scope
Instructions are specific: connect to the given API, optionally obtain an anonymous token via a POST, create sessions, upload files, handle SSE, and poll export status. They do not instruct reading unrelated user files or arbitrary env vars beyond NEMO_TOKEN. They do ask the agent to persist session_id/token and include specific attribution headers on every request.
Install Mechanism
No install spec or code files are present (instruction-only), so nothing is written to disk by an installer step. This is the lower-risk posture for install behavior.
Credentials
Only one credential is required (NEMO_TOKEN), which is proportionate for a cloud editing service. But SKILL.md metadata also declares a config path (~/.config/nemovideo/) that would give the skill a place to persist tokens or session state — the registry listing did not show this path, creating an unexplained discrepancy. The ability to generate an anonymous token via the API means the skill can obtain credentials without the user pre-providing them.
Persistence & Privilege
The skill is not marked always:true and has no install-time persistence. It instructs saving session_id and using/storing a token, which is reasonable for a session-based API, but it does not request system-wide privileges or modify other skills' configs.
What to consider before installing
This skill appears to implement a cloud video-editing workflow, but take these precautions before installing: - Confirm the backend domain and ownership: the skill is named "Descript Ai" but all network calls go to mega-api-prod.nemovideo.ai. If you expect the official Descript service, use the vendor's verified integration. - Be aware it will use or obtain a NEMO_TOKEN (it can generate an anonymous token for you) and may persist session/token information under ~/.config/nemovideo/. If you don't want tokens stored locally, do not allow persistence. - Because this is instruction-only with no source or homepage, you can't audit code; only network behavior is specified. Consider testing with non-sensitive sample media and a throwaway account/token first. - If you proceed, limit its access (don't put high-privilege or unrelated credentials in env vars), and verify the service's privacy/retention policy for uploaded media.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dywnr39wea1aaxsfe6w7e6h84j486

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments