Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Compressor Best
v1.0.0Get compressed MP4 files ready to post, without touching a single slider. Upload your large video files (MP4, MOV, AVI, WebM, up to 500MB), say something lik...
⭐ 0· 18·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (cloud video compression) align with what the instructions do (upload files, queue cloud GPU renders, return download URL). Requiring a single service token (NEMO_TOKEN) is coherent for a cloud API. Minor mismatch: registry metadata lists no required config paths, but the skill frontmatter requests a config path (~/.config/nemovideo/), which suggests it will write session state to disk; this should be clarified.
Instruction Scope
Runtime instructions tell the agent to POST user video files (or URLs) and session data to an external API (mega-api-prod.nemovideo.ai), create anonymous tokens when NEMO_TOKEN is absent, and read/detect install paths and frontmatter values at runtime. These actions are expected for a cloud compressor but they involve sending user content and creating/storing tokens. The instructions also tell the agent to keep tokens and raw API responses hidden from the user — ambiguous guidance about storage and visibility of credentials/session data increases risk if not implemented clearly.
Install Mechanism
Instruction-only skill with no install spec or third-party package downloads, which is the lowest-risk install model.
Credentials
The skill declares a single primary credential (NEMO_TOKEN), which fits a cloud API. However: (1) SKILL.md will generate an anonymous token if NEMO_TOKEN is not present, making the registry's declaration of NEMO_TOKEN as a required env var inconsistent with the instructions; (2) the frontmatter requests a config path (~/.config/nemovideo/) for storing session state but the registry summary lists no required config paths — mismatched declarations about what the skill will read/write to disk. These inconsistencies should be resolved so users know whether a token must be provided and where session data will be stored.
Persistence & Privilege
always:false and normal autonomous invocation are fine. The skill expects to store session_id/state (frontmatter mentions a config path) and to read install paths for attribution headers; this is plausible but does mean the skill will read/write files in the user's home directory if implemented as written. No excessive privileges are requested, but persistent storage behavior should be confirmed.
What to consider before installing
This skill appears to do what it says (upload your videos to a cloud GPU service and return compressed files) but it will send your video files and session tokens to https://mega-api-prod.nemovideo.ai. Before installing: (1) Decide whether you trust that external service with your video content (avoid uploading sensitive videos). (2) Ask the publisher to clarify the mismatches: the registry marks NEMO_TOKEN as required but the skill auto-creates an anonymous token if none is provided, and the frontmatter lists a config path (~/.config/nemovideo/) while the registry says none — confirm whether the skill will write session files to disk and where. (3) If you prefer, obtain and set your own NEMO_TOKEN from the service (and confirm token lifetime/storage behavior) rather than relying on an auto-created token. (4) If you need stricter privacy, do not use this skill for confidential content and review the service's privacy/retention policy.Like a lobster shell, security has layers — review code before you run it.
latestvk97c2wqs7mbfd5xy96g1gbdpfd851cfq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🗜️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN