ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ffmpeg Resize Video

v1.0.0

Tired of manually resizing dozens of videos for different platforms, only to end up with blurry results or broken aspect ratios? This skill brings ffmpeg-res...

0· 30·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name and description (FFmpeg-based video resizing) align with the runtime instructions, which call a Nemovideo cloud API to run server-side FFmpeg. The single required env var (NEMO_TOKEN) is consistent with a cloud processing service.
Instruction Scope
The SKILL.md instructs the agent to (a) check for or obtain a NEMO_TOKEN by POSTing to the provider, (b) create a session and upload user files (multipart file@/path or URL), (c) submit jobs, and (d) poll for results. This is expected for a cloud video-processing skill. One unusual instruction is to "Don't display raw API responses or token values to the user" — concealing token values is normal for secrets, but suppressing raw API responses may hide useful debugging info; the user should know the skill uploads their files to an external service.
Install Mechanism
No install spec and no code files — this is instruction-only. That is low-risk from an install perspective (nothing written to disk by the skill itself).
Credentials
Only one credential is required (NEMO_TOKEN) and it is the primary credential for the stated cloud API. The skill will auto-request an anonymous token if none is present and will store a session_id. This is proportionate for a cloud service, but it means the skill will obtain/store a bearer token and use it to access the provider on your behalf.
Persistence & Privilege
always:false and no other elevated privileges requested. The agent is allowed to invoke the skill autonomously (platform default). The skill may access local file paths for uploads and inspect install paths to set X-Skill-Platform, which is consistent with its functionality.
Assessment
This skill appears to do what it says: it uploads your videos to the Nemovideo backend, uses a NEMO_TOKEN bearer token for authorization (and can create an anonymous token if you don't provide one), and returns download links for processed outputs. Before installing or using it, consider: (1) Your videos will be uploaded off your machine to https://mega-api-prod.nemovideo.ai — do not use this skill for sensitive or confidential footage unless you trust that service and have reviewed its privacy/retention terms. (2) The skill will obtain and use a bearer token (NEMO_TOKEN) and store session identifiers; treat that token as sensitive. (3) The SKILL.md advises hiding raw API responses/token values from users — this is reasonable for secrets but means debugging info may be suppressed. (4) If you prefer not to upload content to an external service, use a local FFmpeg tool instead. If you want greater assurance, ask the skill author for the provider's privacy policy, or test with non-sensitive sample videos first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97243nqq13d63jh8vnqtsr4ws8413hw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments