ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Best Editor Ai

v1.0.0

edit raw video footage into polished edited clips with this best-editor-ai skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators and YouT...

0· 56·0 current·0 all-time
by@vynbosserman65
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to perform cloud video editing and requires a NEMO_TOKEN for its backend — that is coherent. However the SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths, which is an inconsistency to confirm (will the skill read/write that directory?).
!
Instruction Scope
Instructions direct the agent to create anonymous tokens, create and persist a session_id, upload user files (multipart or by URL), poll long-running SSE endpoints, and detect install path to set X-Skill-Platform (filesystem probing). The automatic anonymous-token flow and the directive to 'don't display raw API responses or token values to the user' mean the skill can obtain and store credentials without explicit user display — this increases risk if you are uncomfortable with automated token creation, hidden token handling, or unintentional file uploads.
Install Mechanism
No install spec and no code files — instruction-only skill. Nothing is written to disk by an installer step, which lowers installation risk. Runtime behavior (network calls/uploads) is the main surface.
Credentials
Only NEMO_TOKEN is required, which is proportionate to a cloud video service. But the skill both expects and can create that token automatically, and the frontmatter references a config path where tokens or session state might be stored — ask where session/token data are persisted and how long they live. No other unrelated credentials are requested.
Persistence & Privilege
always:false and normal model invocation. The skill instructs storing session_id (and implicitly tokens), and may write to ~/.config/nemovideo/ (per frontmatter). Persisting session state is reasonable for a cloud editor, but confirm storage location, retention, and whether it modifies other skills or system-wide settings (it should not).
What to consider before installing
This skill appears to do what it says (cloud-based video editing) and only asks for one credential (NEMO_TOKEN). Before installing: 1) Verify the backend domain (mega-api-prod.nemovideo.ai) and look for a privacy/TOS page — you will be uploading video to that service. 2) Confirm where session tokens and session_id are stored (the frontmatter hints at '~/.config/nemovideo/'); decide if you’re comfortable with that directory being created/used. 3) Be aware the skill will auto-generate an anonymous token if none is set and is explicitly told not to display raw tokens — if you prefer manual control, set NEMO_TOKEN yourself instead of allowing automatic acquisition. 4) Only upload media you are willing to send to the remote service and check retention/processing policies. If you want higher assurance, ask the skill author for source code or a homepage and an explanation of persistent storage and token lifecycle.

Like a lobster shell, security has layers — review code before you run it.

latestvk9753fphkx4v82ca7abv72e3zx84jqyk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments