ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Easy Audio Editor

v1.0.0

Cloud-based easy-audio-editor tool that handles cleaning and trimming audio tracks for video projects. Upload MP3, WAV, AAC, M4A files (up to 200MB), describ...

0· 21·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is a cloud audio editor and legitimately needs an API token (NEMO_TOKEN) and a config location for session state; however the registry header listed 'Required config paths: none' while the skill's YAML frontmatter declares ~/.config/nemovideo/, which is an internal inconsistency.
!
Instruction Scope
Runtime instructions tell the agent to auto-obtain an anonymous token (POST to mega-api-prod.nemovideo.ai) if NEMO_TOKEN is missing, store session_id, and derive/send headers that may require checking install paths (e.g., ~/.clawhub/, ~/.cursor/skills/). Automatically generating and storing tokens and probing user filesystem paths introduces privacy and scope creep beyond simple 'upload and edit' wording.
Install Mechanism
This is instruction-only with no install spec or downloaded code, so nothing is written to disk by an installer. That lowers supply-chain risk.
Credentials
Only one credential is requested (NEMO_TOKEN), which is proportionate for a cloud service. But the skill instructs creating/storing anonymous tokens and references a config path for persisted session state; you should confirm where tokens/session data are stored and for how long.
Persistence & Privilege
always:false and normal autonomous invocation are fine. The skill does instruct storing session_id and implies use of ~/.config/nemovideo/ for state; verify whether the skill will write files there and what it persists (tokens, job IDs, possibly orphaned job references).
What to consider before installing
This skill appears to do what it says (cloud audio editing) but it will contact https://mega-api-prod.nemovideo.ai, may automatically create anonymous tokens for you, and may check certain directories on your machine to set a header. Before installing: (1) confirm the publisher and a homepage or source so you can review privacy/security policies; (2) prefer supplying your own NEMO_TOKEN rather than letting the skill auto-generate one if you care about account linkage; (3) ask where tokens and session data are stored and how long audio/uploaded files are retained; (4) be aware audio files will be sent to an external service (do not upload sensitive audio without verifying retention/processing rules); and (5) ask the maintainer to resolve the metadata inconsistency about required config paths.

Like a lobster shell, security has layers — review code before you run it.

latestvk971p2s2ecczjtx00rsxkxt75n84knp1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎧 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments