ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Editor Davinci Resolve

v1.0.0

Get edited video files ready to post, without touching a single slider. Upload your raw video footage (MP4, MOV, AVI, MKV, up to 500MB), say something like "...

0· 11·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims 'download 4K MP4' in the description, but the Cloud Render Pipeline section limits outputs to H.264 up to 1080x1920 — a direct capability mismatch. The name references 'DaVinci Resolve' yet the instructions only accept flat MP4 exports (no Resolve project integration). The declared config path (~/.config/nemovideo/) appears despite this being an instruction-only skill; it's unclear what will be stored there.
!
Instruction Scope
Runtime instructions tell the agent to: call an external API (mega-api-prod.nemovideo.ai) to mint anonymous tokens, create sessions, POST SSE messages, and upload local files (multipart form '@/path'). They also require adding three attribution headers and 'auto-detect' an install path to set X-Skill-Platform, which implies reading agent/install paths or environment — more filesystem/environment access than a minimal upload tool. The flow is otherwise consistent with a cloud-editing service, but the header/platform detection and ambiguous storage of session/token raise scope and privacy questions.
Install Mechanism
Instruction-only skill with no install spec or code to download; nothing will be written by an installer. This has the lowest install risk.
Credentials
Only one env var (NEMO_TOKEN) and a config path (~/.config/nemovideo/) are declared, which is proportionate for a cloud API client. However the skill will mint an anonymous token on demand via the external API if none is provided, and it’s unclear where tokens/sessions are persisted. The required attribution headers and suggested platform auto-detection imply the agent may read environment or filesystem metadata.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent inclusion or modification of other skills. Session tokens and render jobs live on the service side; closing the client may orphan jobs as documented. Autonomous invocation is allowed (the platform default) but is not combined here with elevated privileges.
What to consider before installing
This skill calls an external, unverified API and asks you to upload video files and/or supply a NEMO_TOKEN. Before using it: (1) note the mismatch — the description promises 4K but the API docs within the skill limit output to ~1080p; don't assume 4K results. (2) Only upload non-sensitive test footage until you verify the service, privacy policy, and data retention. (3) Prefer creating and providing your own token (if you trust the service) rather than letting the agent mint one automatically. (4) Ask where tokens and session IDs are stored on your system (~/.config/nemovideo/ appears declared). (5) If you’re uncomfortable with the agent reading install paths or auto-detecting platform metadata, do not install or invoke the skill. If you want to proceed, verify the backend domain (mega-api-prod.nemovideo.ai) and ideally look for an authoritative homepage/terms or an official vendor before uploading real content.

Like a lobster shell, security has layers — review code before you run it.

latestvk971bzet53es58wkchrzdxn9wd84s2j6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments