Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Color Grading
v1.0.0Cloud-based color-grading tool that handles applying cinematic color grades to raw footage. Upload MP4, MOV, AVI, WebM files (up to 500MB), describe what you...
⭐ 0· 15·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (cloud color grading) aligns with the instructions: upload video, create session, render, return download URL. Requesting a single service token (NEMO_TOKEN) is appropriate. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch is unexplained. The skill's source/homepage are unknown, which reduces confidence in provenance.
Instruction Scope
Instructions are focused on interacting with the nemovideo API (session creation, uploads, SSE, export/polling). They also instruct generating an anonymous token if NEMO_TOKEN is missing and to detect install/platform by probing local install paths (~/.clawhub/, ~/.cursor/skills/). Probing these local paths is outside pure network-only operation and is not declared elsewhere; the skill also instructs not to expose tokens but does not explain persistent storage of the anonymous token. Overall scope is close to expected, but the local path checks and token handling should be confirmed.
Install Mechanism
No install spec and no code files — instruction-only skill. This is the lowest install risk (nothing is written to disk by the skill itself).
Credentials
Only one declared required env var (NEMO_TOKEN), which is appropriate for an authenticated cloud service. The SKILL.md will create/use an anonymous token if NEMO_TOKEN is absent — reasonable but means the skill will make a network request to obtain credentials dynamically. The frontmatter's configPaths entry suggests the skill might also access local configuration, which is not reflected in the registry 'Required config paths' field; that mismatch is unexplained.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent system-wide privileges. It does instruct reading its own frontmatter and checking common install locations to identify platform, which requires filesystem access but not elevated privileges. Nothing indicates it modifies other skills or global agent settings.
What to consider before installing
This skill appears to be an instruction-only connector to a cloud rendering backend and will make network requests to mega-api-prod.nemovideo.ai and may generate/use an anonymous token if NEMO_TOKEN is not present. Before installing: confirm the service’s legitimacy (homepage, privacy policy, owner), avoid uploading sensitive footage until you trust the backend, and consider creating a limited-scope token for NEMO_TOKEN rather than reusing broad credentials. Also note the SKILL.md references reading local install/config paths — if you are uncomfortable with local filesystem probing, don't install. If you need higher assurance, ask the publisher for a homepage, source code, or a privacy/data-retention statement.Like a lobster shell, security has layers — review code before you run it.
latestvk975z0tsfbtz2sdtg0b07zq5ax84j3h6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎨 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN