ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Editor Google

v1.0.0

Get edited MP4 videos ready to post, without touching a single slider. Upload your raw video footage (MP4, MOV, AVI, WebM, up to 500MB), say something like "...

0· 36·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose is a browser-based video editor; its instructions call a nemo/vide o backend (mega-api-prod.nemovideo.ai) and require NEMO_TOKEN which is coherent. However the description references 'Google Drive users' and 'works like Google Docs for video' while no Google Drive integration, OAuth scopes, or Google credentials are requested or documented — this is a misleading claim. Also registry metadata shown earlier omits config path requirements while the SKILL.md frontmatter declares a config path (~/.config/nemovideo/).
Instruction Scope
The SKILL.md gives concrete, service-scoped API flows: anonymous-token generation, session creation, SSE messaging, upload and export endpoints. It does not instruct reading unrelated system files or other env vars. It does instruct detecting install path (to set X-Skill-Platform) and reading the skill's YAML frontmatter for attribution headers — these are self-contained and expected for telemetry/attribution.
Install Mechanism
No install spec or code is included (instruction-only). Nothing will be downloaded or written by an installer during skill install. This is the lowest-risk install pattern.
Credentials
Only NEMO_TOKEN is declared as required (primary credential), which aligns with a remote API-based service. The SKILL.md also supports creating an anonymous token if none is present. The inconsistency between the registry's earlier 'required config paths: none' and the SKILL.md frontmatter listing ~/.config/nemovideo/ is unexplained and should be clarified (where will tokens/session IDs be stored?). No other unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or system-wide agent settings. It instructs storing a session_id and token for use in subsequent requests (normal for session-based APIs); it is unclear whether storage is in-memory or in the config path referenced in metadata — confirm storage location and lifetime before installing.
What to consider before installing
This skill appears to be an instruction-only integration with a remote service at mega-api-prod.nemovideo.ai and needs a NEMO_TOKEN. Before installing: (1) confirm the service domain and review its privacy/terms (no homepage is provided), (2) note the description mentions Google Drive but the skill contains no Google integration — do not assume Drive access will be provided, (3) ask where tokens/session IDs are stored (in-memory vs ~/.config/nemovideo/) and whether that file is created on disk, (4) be cautious about anonymous-token generation: the skill will POST to the backend and store returned tokens which grant access to render jobs, so do not supply other credentials to this skill, and (5) if you require higher assurance, request source code or an official homepage/publisher and verify the API endpoints and ownership before granting the skill network access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bc77mbp457qgpfxdc2btfks84rb2v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments