Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Editor Ai
v1.0.10The complete AI-powered video editing suite for every creator — trim, cut, merge, add captions, color grade, speed ramp, add music, text overlays, transition...
⭐ 0· 356·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a cloud-backed AI video editor and its instructions call a nemovideo API and persist a client_id under ~/.config/nemovideo — this is consistent with a cloud editing workflow. However, registry metadata provided with the skill (top-level summary) lists no required env/config while the SKILL.md metadata explicitly requires NEMO_TOKEN and ~/.config/nemovideo; meta.json also shows a different version and a different account. Those inconsistencies in declared requirements and provenance reduce trust.
Instruction Scope
SKILL.md instructs the agent to auto-acquire an anonymous token via a curl POST to https://mega-api-prod.nemovideo.ai, to save/generate ~/.config/nemovideo/client_id, and to route uploads/edits through the remote API. That implies uploading user video to an external service and writing a client_id to disk. Uploading user data to a remote API and persisting identifiers are within the advertised feature set but are material privacy/security actions that the user should be explicitly aware of.
Install Mechanism
This is an instruction-only skill with no install script or code files, so nothing is written to disk by an installer. The runtime instructions themselves perform network calls and write a small client_id file, but there is no package download or archive extraction to review.
Credentials
SKILL.md declares NEMO_TOKEN and a config path (~/.config/nemovideo/) which are reasonable for a cloud editing service. However the top-level registry metadata omitted these requirements, creating an incoherence. Also the skill instructs generating/persisting a client_id (UUID) and obtaining session tokens; persisting a client identifier can enable tracking across sessions/IPs — a privacy consideration. No broad unrelated credentials are requested, but the discrepancy in declared requirements is a red flag.
Persistence & Privilege
The skill does not request always:true and appears to only write its own client_id under ~/.config/nemovideo. It does not ask to modify other skills or system-wide configs. Autonomous invocation is allowed (platform default) — note that this increases the impact because the skill will perform network calls when used.
What to consider before installing
This skill will upload your video files to an external API (mega-api-prod.nemovideo.ai), generate and persist a client_id at ~/.config/nemovideo/client_id, and obtain/store session tokens. Those actions are consistent with a cloud-based editor, but: 1) verify the skill's provenance (homepage, GitHub repo, and owner) because the manifest shows inconsistent metadata and version/account mismatches; 2) review nemovideo's privacy, data retention, and terms before uploading sensitive videos; 3) if you need local/offline editing or cannot share the footage externally, do not install/use this skill; 4) confirm whether tokens are persisted beyond the session and how to revoke/delete uploaded content; and 5) if you want stronger assurance, ask the publisher for a signed release or an official package from the project's known repo before enabling the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97e2dd94sgmwq6vtspea7pzpn83w6mv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.