Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Video Editing Anup Sagar
v1.0.0Tired of spending hours cutting footage, writing captions, and piecing together video sequences manually? ai-video-editing-anup-sagar brings Anup Sagar's sig...
⭐ 0· 11·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description align with a cloud-based video-editing service and the single required credential (NEMO_TOKEN) is consistent with that purpose. However, the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata presented to you listed no required config paths — this mismatch is an incoherence that should be clarified (does the skill expect to read user config files?).
Instruction Scope
The runtime instructions explicitly direct the agent to: automatically connect to an external API on first interaction, optionally generate an anonymous token via a network call, create/save a session_id, send/stream messages (SSE), and upload user files (multipart POST or by URL) to mega-api-prod.nemovideo.ai. Those behaviors are expected for a cloud editing integration, but the instruction to 'connect before doing anything else' means the skill will attempt network activity automatically; users should expect their footage and related metadata to be transmitted to the external service. The skill also instructs detecting install paths to set an attribution header (requires filesystem access to determine platform).
Install Mechanism
This is instruction-only (no install spec, no code files). That reduces disk-write and supply-chain risk compared to skills that download or extract archives.
Credentials
Only NEMO_TOKEN is declared as required (primary credential), which is proportionate for a third-party API. Note: SKILL.md instructs generating an anonymous token if none is present and treating the returned token as NEMO_TOKEN (100 credits, 7-day expiry). The frontmatter's configPaths entry (present in SKILL.md) hints the skill may want to read ~/.config/nemovideo/ — this was not reflected in the registry 'Required config paths' and should be clarified before granting filesystem access.
Persistence & Privilege
The skill is not force-enabled (always: false) and uses normal autonomous invocation settings. It does instruct creating and retaining a session_id and using tokens for requests, but it does not explicitly request permanent system-wide privileges or modify other skills. Still, because it will make outbound requests and may upload files, users should be aware of data flow and token lifetime (anonymous token lasts 7 days).
What to consider before installing
This skill appears to be a cloud-backed video-editing assistant that sends footage and metadata to mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN. Before installing: (1) Verify you trust the external service/domain and the skill author; uploaded videos will be transmitted to that API. (2) Clarify the metadata mismatch: SKILL.md mentions reading ~/.config/nemovideo/ but registry metadata did not — ask whether the skill will read local config files and what it will read. (3) Prefer using an ephemeral or limited-scope token if possible (or use the anonymous token flow and be aware it grants 100 credits for 7 days). (4) Don’t provide sensitive files or credentials to the skill; review any files the skill uploads and confirm privacy/retention policies with the service. (5) If you want stricter control, disable autonomous invocation for the skill or require explicit consent before it performs uploads or generates tokens. If the publisher cannot explain the configPaths discrepancy and exact data flows, treat the skill with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk9798n3y3fwn61ktmfczxbh0h98496wq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN