ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Compressor Bitrate

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — compress this video to 8 Mbps bitrate without losing visible quality — and...

0· 34·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description (cloud-based video bitrate compression) match the runtime instructions which call a nemo-video backend. Requesting a NEMO_TOKEN credential is reasonable. However, the registry metadata said no required config paths while the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/), which is an internal inconsistency.
Instruction Scope
Instructions are explicit about network calls, session creation, uploading user files, SSE streaming, and required request headers. This is within the stated purpose (cloud render/export). Important privacy implication: user video files are uploaded to https://mega-api-prod.nemovideo.ai. The skill also instructs detecting an install path to set X-Skill-Platform headers, which implies reading environment/paths to build attribution headers.
Install Mechanism
No install spec or code files are present (instruction-only). That minimizes on-disk code risk; the skill only performs network interactions described in SKILL.md.
Credentials
Only NEMO_TOKEN is declared as the primary credential which is coherent for an API-backed service. However, SKILL.md documents an anonymous-token fallback (it will POST to an auth endpoint to obtain a token if NEMO_TOKEN is absent), so marking NEMO_TOKEN as required in registry metadata is misleading. The frontmatter also references a config path (~/.config/nemovideo/) not declared in the registry, which suggests possible local config storage but is not reflected in declared requirements.
Persistence & Privilege
always:false and no install scripts are present. The skill does not request elevated or permanent platform-wide privileges in the manifest. Autonomous invocation is enabled (the platform default) but not combined here with other high-risk indicators.
What to consider before installing
This skill uploads whatever video you provide to a third-party API (mega-api-prod.nemovideo.ai) and uses a NEMO_TOKEN or an anonymous token it will fetch for you — do not use it with sensitive or private videos unless you trust that service. Note the manifest inconsistencies: the registry marks no config paths and NEMO_TOKEN as required, but the SKILL.md shows an anonymous-token fallback and mentions a config path (~/.config/nemovideo/). Before installing or using: (1) confirm the service owner and privacy/terms for mega-api-prod.nemovideo.ai, (2) decide whether to supply your own NEMO_TOKEN (vs. letting the skill obtain an anonymous token), (3) ask the skill author to fix the manifest inconsistency about required config paths and required env vars, and (4) avoid sending sensitive content until you verify where tokens/configs are stored and how long data is retained.

Like a lobster shell, security has layers — review code before you run it.

latestvk9705fqjs76d36y4wz6e87rbdn84watj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📉 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments