Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Compressor Free
v1.0.0Turn a 500MB 10-minute MP4 recording into 1080p compressed MP4 files just by typing what you need. Whether it's reducing video file size for sharing or uploa...
⭐ 0· 20·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims cloud video compression and only requests a single service token (NEMO_TOKEN), which is coherent. However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — a mismatch worth flagging. The header attribution logic that inspects install paths (~/.clawhub/ or ~/.cursor/skills/) is also unnecessary for the stated purpose and presumes filesystem/installation-path visibility.
Instruction Scope
Instructions instruct the agent to obtain an anonymous token if NEMO_TOKEN is not present, create and store a session_id, and upload files using multipart form data (examples show '-F "files=@/path"'). These steps imply the agent will perform network calls and may reference local file paths; the SKILL.md does not clearly state where tokens/session IDs are stored (env, memory, disk) and instructs not to show raw tokens to the user. The combination of automatic anonymous-auth token creation plus unclear storage is a scope and transparency concern. The install-path-based X-Skill-Platform detection implies the agent should inspect local paths, which is outside the minimal need to compress user-uploaded videos.
Install Mechanism
No install spec or code is provided (instruction-only), so nothing will be automatically written to disk by the skill itself. This lowers installation risk.
Credentials
Only NEMO_TOKEN is declared as required, and that matches a cloud API token the skill needs. However the skill will auto-generate an anonymous token via the API if NEMO_TOKEN is absent, effectively obtaining credentials on the user's behalf. The frontmatter's configPaths field (~/.config/nemovideo/) is present in the SKILL.md but not in the registry requirements — inconsistent and should be clarified.
Persistence & Privilege
The skill does not request always:true and does not claim it will modify other skills or system-wide config. It asks to 'store' a session_id for subsequent requests, which is normal for session-based APIs, but the storage location and lifetime are unspecified (ephemeral agent memory vs persistent file).
What to consider before installing
This skill appears to implement a cloud-based video compressor and mostly asks for an expected API token (NEMO_TOKEN). Before installing or using it: (1) Confirm you trust the external domain (mega-api-prod.nemovideo.ai) — the skill will send your video files to that service. (2) Decide whether you want the skill to auto-create anonymous credentials; if you prefer control, provide your own NEMO_TOKEN. (3) Ask the developer to clarify where tokens and session IDs are stored and for how long, and whether the agent will attempt to read arbitrary local file paths (the upload examples imply it could). (4) Note the small metadata inconsistency (declared configPaths in SKILL.md vs registry) — request a corrected manifest. If these points are acceptable and you trust the backend service and its privacy policy, the skill's behavior is coherent; otherwise treat it as potentially risky and avoid uploading sensitive videos until clarified.Like a lobster shell, security has layers — review code before you run it.
latestvk97crwykahrwqxhs3845bj2g0984qs8e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🗜️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN