Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
How To Edit Videos
v1.0.0edit raw video footage into edited video clips with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators and YouTubers use it for t...
⭐ 0· 20·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (remote AI video editing, upload/process/export) match the SKILL.md instructions (upload endpoints, render pipeline). Requesting a single NEMO_TOKEN credential is proportionate to a remote API client. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata listed no required config paths—this mismatch is unexplained.
Instruction Scope
Instructions stay within video-editing scope: obtain or generate an API token, create a session, upload media, use SSE for edits, poll export status, and return download URLs. They do not instruct reading unrelated system files. A minor scope question: the skill asks to 'auto-detect' an install platform from an install path (clawhub/cursor/unknown), which may require reading agent runtime/install information—this is reasonable for attribution but worth confirming doesn't access other agent config.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk. Nothing is downloaded or written to disk by an installer step in the package itself.
Credentials
Only NEMO_TOKEN is declared as required, which fits a 3rd-party API. But the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that implies the skill might read local config files; the registry summary did not list that path. Confirm whether the agent will read that path (and what it contains). Also confirm that NEMO_TOKEN is a dedicated API token (not a more powerful system credential) before providing it.
Persistence & Privilege
The skill is not forced-always and uses normal autonomous invocation defaults. It does not request to modify other skills or system-wide settings. No persistence or elevated privileges are requested in the package itself.
Scan Findings in Context
[no_regex_matches] expected: The scanner found no code files to analyze (this is an instruction-only skill). That absence is expected but means static regex signals are unavailable; assessment relies on SKILL.md content.
What to consider before installing
This skill appears to be a straightforward client for a remote video-editing API, but check a few things before installing: 1) Verify the API domain (mega-api-prod.nemovideo.ai) and its privacy/terms — understand what happens to uploaded videos and how long they're stored. 2) Confirm NEMO_TOKEN is scoped only to this service (don't reuse any sensitive tokens like cloud provider or personal account tokens). 3) Ask the publisher why the SKILL.md frontmatter mentions a local config path (~/.config/nemovideo/) while registry metadata did not — clarify whether the agent will read that folder and what it contains. 4) Test with non-sensitive/sample videos first and limit token privileges/expiry where possible (use the anonymous-token flow if appropriate). 5) If you need stronger assurance, request the skill's homepage or source, or run the integration in a sandboxed agent environment.Like a lobster shell, security has layers — review code before you run it.
latestvk972vvtav89yspkc4wktyb70n984qezh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN