Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Maker Pro
v1.0.0create raw video footage into polished professional videos with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators and marketers...
⭐ 0· 19·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (remote video editing) aligns with the runtime instructions (upload video, request render, return download URL) and the single required credential NEMO_TOKEN is consistent with calling a third‑party API. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata claims no required config paths — that mismatch is unexplained.
Instruction Scope
Instructions tell the agent to contact https://mega-api-prod.nemovideo.ai to: obtain anonymous tokens if NEMO_TOKEN is absent, create sessions, upload media, poll renders, and include attribution headers. Those network calls and file uploads are expected for a cloud editing service, but the skill also mandates specific attribution headers and references an on‑disk config path in its frontmatter (possible implicit access to ~/.config/nemovideo/). The SKILL.md does not explicitly explain reading that config path but the metadata suggests it may be used — this ambiguity increases risk because it could cause the agent to look for and use local credentials/config unexpectedly.
Install Mechanism
Instruction-only skill with no install spec and no bundled code files. This is low risk from a code‑delivery perspective: nothing will be written to disk by an installer step.
Credentials
Only one declared environment variable (NEMO_TOKEN), which is appropriate for a service that requires authentication. The skill instructs the agent to obtain an anonymous token on the user's behalf if NEMO_TOKEN is missing — this means it will still contact the remote API and can upload user files even without user-supplied credentials. The frontmatter's configPaths entry (present in SKILL.md but not in registry metadata) suggests possible access to ~/.config/nemovideo/, which is not justified elsewhere.
Persistence & Privilege
always is false and there are no install scripts or persistent modifications described. The skill can be invoked autonomously (the platform default) but it does not request elevated persistence or alter other skills' configs.
What to consider before installing
This skill appears to implement a cloud video-editing workflow (you upload raw video, rendering happens on nemovideo.ai, you get a download URL). Before installing or using it, consider: 1) Your videos will be uploaded to a third‑party service (https://mega-api-prod.nemovideo.ai) — do not upload sensitive or private footage unless you trust the service and understand its privacy policy. 2) If you don't provide NEMO_TOKEN, the skill will request an anonymous token itself and proceed — be aware it can still transmit your files. 3) There is an unexplained metadata mismatch: SKILL.md references a local config path (~/.config/nemovideo/) that the registry metadata does not list; confirm whether the skill will read local config files or tokens. 4) The skill requires specific attribution headers; this is likely benign but is unusual — verify the origin/maintainer (no homepage is provided). If you need stronger assurance, ask the publisher for a homepage or privacy policy, insist on using your own service token rather than anonymous issuance, and avoid sending sensitive videos until you verify the provider.Like a lobster shell, security has layers — review code before you run it.
latestvk97b71vyxya2xbkw27rbbqbfq9853p5p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN