ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Editor Ai Easy

v1.0.0

beginner creators edit raw video footage into polished edited clips using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders on cloud GPUs at 1080p...

0· 56·0 current·0 all-time
by@dsewell-583h0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (cloud AI video editing) aligns with the HTTP endpoints and upload/export workflows in SKILL.md. However, the frontmatter references a local config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch is unexplained and unnecessary for basic upload/edit/export functionality.
Instruction Scope
Instructions are focused on authenticating, creating a session, uploading media, and polling render status — all expected. Points to clarify: (1) the skill tells the agent to auto-detect an 'install path' to set X-Skill-Platform (ambiguous for an instruction-only skill), and (2) upload examples show multipart file uploads using local file paths (agent will read user-supplied files, which is expected for an editor but should be constrained to user-provided content). No instructions request arbitrary system files beyond the mentioned config path.
Install Mechanism
No install spec and no code files — the skill is instruction-only, so nothing is written to disk by an installer. This is lower-risk from an installation standpoint.
!
Credentials
The skill declares a single credential (NEMO_TOKEN), which is appropriate for a cloud API. Concern: SKILL.md/frontmatter also references accessing ~/.config/nemovideo/ (not declared in registry metadata) which would grant additional access to local config files. Also the skill will create an anonymous token via the API if NEMO_TOKEN is absent — acceptable but means the agent will perform network auth automatically. The extra config-path access is disproportionate unless the skill truly needs local config.
Persistence & Privilege
The skill does not request always:true, has no install scripts, and does not ask to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not by itself a red flag here.
What to consider before installing
Before installing or using this skill: (1) ask the publisher to explain the mismatch between the registry metadata and the SKILL.md frontmatter about ~/.config/nemovideo/ — confirm whether the skill will read that directory and why. (2) Understand that the skill will use NEMO_TOKEN (you can supply your own) or automatically create an anonymous token by calling https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token; ensure you trust that domain and its privacy/data-retention policy. (3) Only upload non-sensitive footage until you confirm where media and derived files are stored and how long they are retained. (4) Ask how X-Skill-Platform is auto-detected and what filesystem paths the agent will read to determine it. (5) If you require stronger assurance, request an explicit privacy/security policy, or prefer a skill from a known publisher with a homepage/source. Clarifying these items would raise confidence; unresolved config-path access or unexpected local-file reads should be treated as a reason to avoid installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cj2qgxtfmf4s1nt19p5cqzh84jfr8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments