Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Youtube Create
v1.0.0Skip the learning curve of professional editing software. Describe what you want — trim dead air, add background music, and generate a YouTube-ready intro —...
⭐ 0· 35·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (cloud video editing) aligns with the runtime instructions (upload, render, export) and the single required credential NEMO_TOKEN is appropriate for access to the remote API. However the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch should be clarified.
Instruction Scope
Instructions direct the agent to obtain/store an anonymous token (POST to /api/auth/anonymous-token) if NEMO_TOKEN is absent, create sessions, upload user video files (multipart file uploads or by URL), use SSE endpoints, and poll render status. Uploading user videos to the remote service is expected for this functionality, but it is a privacy/attack-surface concern: user content (potentially sensitive) will be transmitted to mega-api-prod.nemovideo.ai. The file-upload examples reference local file paths (files=@/path), which implies the agent/tool will need file access to perform uploads. The instructions also instruct the agent to detect install path (~/.clawhub or ~/.cursor/skills/) to set a header, which implies reading filesystem state outside the skill's own working data.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code — lowest install risk. There is no automated download or third-party package installation described.
Credentials
The skill only requires a single credential (NEMO_TOKEN), which is proportionate to a remote API service. The SKILL.md will create and store an anonymous token automatically if NEMO_TOKEN is not present; that behavior should be explicit to the user. The frontmatter's configPaths entry (~/.config/nemovideo/) is present in the SKILL.md but not in the registry metadata — an inconsistency that could affect where credentials/session state are saved.
Persistence & Privilege
always:false (default) and autonomous invocation allowed — standard for skills. The skill instructs storing of a session_id and the anonymous token (valid for 7 days) for subsequent API calls; this is normal for a remote-service integration but means the skill will retain credentials/session state between uses.
What to consider before installing
This skill appears to be a cloud-based video editor that uploads your footage to mega-api-prod.nemovideo.ai and uses a token (NEMO_TOKEN) for authorization. Before installing: (1) understand that any videos you upload will be sent to a third-party server — do not upload sensitive content unless you trust the service and its retention/privacy policy; (2) note the skill will automatically request and store an anonymous token if none is present — consider using a throwaway account/token if you want to limit exposure; (3) confirm where credentials/session state are stored (the SKILL.md references ~/.config/nemovideo/); (4) the skill’s source/homepage is unknown — try to verify the provider/domain and privacy/security practices before trusting it with private videos; (5) if you must proceed, test with non-sensitive footage first and monitor network activity and where tokens/sessions are stored.Like a lobster shell, security has layers — review code before you run it.
latestvk97bx1zxqcxzedym1wwzm9g6q584ssfb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN