ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Editor Online

v1.0.0

Cloud-based editor-online tool that handles editing videos directly in the browser without software. Upload MP4, MOV, AVI, WebM files (up to 500MB), describe...

0· 17·0 current·0 all-time
by@whitejohnk-26
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (cloud video editor) match the runtime instructions (upload videos, start render jobs, poll for results). Requesting a single service token (NEMO_TOKEN) is appropriate. However, SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this inconsistency in declared requirements and the lack of a homepage/origin make provenance unclear.
!
Instruction Scope
The SKILL.md explicitly instructs the agent to upload user-provided media to https://mega-api-prod.nemovideo.ai and to obtain anonymous tokens automatically if NEMO_TOKEN is absent. Uploading user files to an external service is consistent with the stated purpose but is a material privacy action: the agent will transmit potentially large and sensitive media off-device. The instructions also require auto-detecting an install path for an attribution header (possible filesystem probing) and mandate specific headers. The instructions do not ask for unrelated system secrets, but they will cause network exfiltration of user files to an external endpoint.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes local install risk (nothing downloaded or written by an install step).
Credentials
Only a single credential (NEMO_TOKEN) is required, which fits a service that needs an API token. The SKILL.md will attempt to mint an anonymous token if NEMO_TOKEN is missing and then use it as the session token — reasonable for usability but means the skill may operate without an explicit user-provided secret. Verify what the NEMO_TOKEN actually authorizes (scope, associated account) before supplying a long-lived token from another account.
Persistence & Privilege
always:false and no install steps; the skill does not request elevated persistence. It may encourage storing or reusing the anonymous token (tokens expire after 7 days), but it does not itself declare writing to other skills' configs or system-wide changes.
What to consider before installing
This skill appears to be a coherent cloud video-editor but comes from an unknown source and will upload your files to mega-api-prod.nemovideo.ai. Before installing/using: (1) Do not upload sensitive or private videos until you verify the service's owner, privacy policy, and legitimacy. (2) Prefer using a generated anonymous token rather than pasting a long-lived credential; confirm what NEMO_TOKEN grants access to. (3) Note the SKILL.md mentions a local config path (~/.config/nemovideo/) that isn't listed in the registry metadata — ask the publisher to clarify whether any local files will be read/written. (4) If you need strict data control, avoid using this skill or only test with non-sensitive clips. (5) If you decide to proceed, monitor network activity (or sandbox the agent) while first using the skill to confirm behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk9731bh2r094qnejw184p278bd84j2t9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments