ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Highlight Editor 4k

v1.0.0

create raw video footage into 4K highlight reels with this skill. Works with MP4, MOV, AVI, MKV files up to 500MB. sports videographers, content creators, ev...

0· 21·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to produce 4K highlight reels, but the Cloud Render Pipeline text explicitly says compositing up to 1080x1920 (1080p). That is a direct capability mismatch. Otherwise requiring a NEMO_TOKEN for a remote render API is coherent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to obtain anonymous tokens from an external API, create sessions, upload user files (multipart or URL), run SSE calls, poll render status, and return download URLs — all expected for a remote render service. It does not instruct reading unrelated local files, but it assumes the agent will 'store' session_id/token for subsequent requests without specifying where (in-memory vs disk). The metadata also references a config path (~/.config/nemovideo/) in frontmatter while the registry lists none — an inconsistency that could imply persistence to disk.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk install footprint. All runtime behavior is via network calls to the documented API.
Credentials
Only one credential is required: NEMO_TOKEN (declared as primaryEnv). That is proportionate for a cloud-rendering integration. However, SKILL.md instructs automatic token generation if NEMO_TOKEN is missing, which requires contacting an external endpoint and then 'storing' the token/session; the storage location is unspecified. Also the frontmatter references a config path (~/.config/nemovideo/) that suggests persistent storage, but the registry metadata did not declare required config paths — mismatch to clarify.
Persistence & Privilege
The skill is not always-enabled and uses default autonomous invocation behavior. The main concern is potential persistence of tokens/sessions: SKILL.md speaks of storing session_id and generating/storing tokens but doesn't define where. If the skill persists credentials to disk (e.g., ~/.config/nemovideo/) that expands its long-term access to the external service — the registry vs README mismatch should be resolved.
What to consider before installing
This skill generally behaves like a cloud-rendering integration (requests a NEMO_TOKEN and calls a nemo-video API). Before installing: 1) Ask the publisher to confirm whether the service truly supports 4K output — the SKILL.md claims 4K but also says compositing 'up to 1080x1920', which is inconsistent. 2) Clarify where tokens/session IDs are stored (in-memory only or written to ~/.config/nemovideo/). Persistent storage would allow long-lived access tied to your environment. 3) Confirm you trust the domain mega-api-prod.nemovideo.ai and review their privacy/terms if you'll upload private footage. 4) If you want to avoid the skill auto-generating tokens, set NEMO_TOKEN yourself (and verify how to revoke it). 5) If anything about headers, polling, or file uploads seems unclear, ask the developer for a precise spec (how resolution is selected, cost/credit rules, and storage behavior) before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97arn7ygc2cw6e41rtkk080m584mm5c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments