ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fast Video Editing With

v1.0.0

Cloud-based fast-video-editing-with tool that handles quickly trimming and enhancing raw footage without manual editing. Upload MP4, MOV, AVI, WebM files (up...

0· 59·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description, listed API endpoints, and required NEMO_TOKEN align with a cloud video‑editing service. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata listed no required config paths; this mismatch is unexplained but could be benign (e.g., optional local config). The ability to obtain an anonymous token if NEMO_TOKEN is missing is coherent for giving a fallback.
Instruction Scope
Instructions are focused on uploading files, creating sessions, sending SSE messages, polling render state, and returning download URLs — all expected for this purpose. The runtime instructions also tell the agent to read the skill's YAML frontmatter and to probe user home paths (~/.clawhub, ~/.cursor) to detect platform; those filesystem checks are outside the core editing flow but are limited in scope (platform detection). The skill also instructs network POST/GET calls to an external domain (mega-api-prod.nemovideo.ai) which is central to its function.
Install Mechanism
No install spec or code files — instruction-only skill. This is the lowest install risk; nothing is downloaded or written by an installer per the provided metadata.
!
Credentials
Registry declares NEMO_TOKEN as the primary credential which is appropriate for a cloud API, but SKILL.md also documents an anonymous-token acquisition flow (POST to /api/auth/anonymous-token). The SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) that the registry did not declare — reading that path could expose local credentials/config not described in the registry. The number of secrets requested is small and plausible, but the metadata/registry inconsistency and implicit access to a local config merit caution.
Persistence & Privilege
The skill is not marked always:true and does not request elevated system privileges. It will run network requests and can be invoked autonomously (platform default). It also instructs probing the user's home for install-path detection which is low-privilege but broadens the data the skill can observe.
What to consider before installing
This skill appears to be a normal cloud video-editing integration, but before installing: (1) confirm you trust the remote domain https://mega-api-prod.nemovideo.ai because the skill sends your videos and bearer tokens there; (2) ask the publisher why the SKILL.md lists ~/.config/nemovideo/ when the registry shows no required config paths—that directory might contain tokens or config; (3) if you keep sensitive tokens in your environment, consider running the skill in a sandbox or remove sensitive env vars during use; (4) if you are uncomfortable with autonomous invocation, restrict the skill or require manual approval for network actions. If the publisher can explain the configPath mismatch and confirm no extra local secrets are read, the remaining behavior is consistent with the advertised purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk9708ftsjerpc9c3498x6vwjes84mbfv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments