Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Compressor App
v1.0.0Turn a 500MB 4K travel video into 1080p compressed MP4 files just by typing what you need. Whether it's reducing video file size for sharing or uploading or...
⭐ 0· 21·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (cloud video compression) align with the runtime instructions (upload video, queue render, export). Requesting a NEMO_TOKEN for an external nemovideo API is expected for this purpose. However the registry metadata shown earlier lists no config paths while the SKILL.md frontmatter declares a config path (~/.config/nemovideo/), and the skill has no source/homepage — this mismatch reduces transparency.
Instruction Scope
Instructions are narrowly focused on creating/using a session token, uploading videos, streaming SSE chat, polling render status, and returning download URLs — all consistent with the described feature. They direct the agent to POST user-uploaded video data to https://mega-api-prod.nemovideo.ai. The skill also instructs generating and storing anonymous tokens and session IDs and to suppress showing raw token values to users. These behaviors are reasonable for a hosted service, but they mean user files and freshly minted credentials will be sent to and stored by an external service.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by an installer, which is lowest install risk. Runtime instructions do imply storing session data (session_id and token) but do not prescribe an arbitrary download or execution step.
Credentials
The only declared environment credential is NEMO_TOKEN (primary), which is proportionate to a hosted compression service. But SKILL.md instructs generating an anonymous token if none is present and implies storing tokens/session state (and the frontmatter lists ~/.config/nemovideo/). The registry metadata provided earlier did not list that config path — an inconsistency. Users should know where the token/session will be stored and whether the skill will reuse or leak those credentials to other components.
Persistence & Privilege
always:false (normal). The skill is allowed to be invoked autonomously (disable-model-invocation:false) which is typical; combined with automatic token generation and the ability to upload user videos to an external cloud GPU render farm, this gives the skill the practical capability to send user files off-platform without additional prompts. That is expected for this functionality, but increases blast radius if the service or skill were malicious.
What to consider before installing
This skill behaves like a cloud-hosted video compressor: it will upload any video you drop into the chat to https://mega-api-prod.nemovideo.ai, create or use a NEMO_TOKEN, and store session state (session_id) for subsequent calls. Before installing or using it: 1) Decide whether you are comfortable uploading the videos you will provide (do not upload sensitive content). 2) Ask the publisher for source code, a privacy policy, and a clear explanation of where tokens/sessions are stored (the SKILL.md references ~/.config/nemovideo/ but registry metadata omitted it). 3) If you trust the service, consider setting NEMO_TOKEN yourself (so the skill doesn't auto-provision credentials) and rotate/delete any tokens after use. 4) The skill has no listed homepage or source — prefer skills with verifiable publishers. Because of the metadata mismatch and lack of provenance, proceed only if you accept the privacy trade-offs.Like a lobster shell, security has layers — review code before you run it.
latestvk97b7mmtmwya0qeft6hxj0etp184pabv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🗜️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN