ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Editor Online

v1.0.2

Edit videos online using AI — no software download, no installation, no powerful computer required. NemoVideo runs entirely in the cloud: upload a video from...

0· 105·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The advertised purpose (cloud video editing) matches the runtime instruction to call a NemoVideo API. However the SKILL.md repeatedly says "No account" / "No download" while the example cURL uses an Authorization: Bearer $NEMO_TOKEN and the metadata declares a primary credential NEMO_TOKEN. That contradiction (no-account vs requiring a token) is unexplained and reduces confidence.
!
Instruction Scope
The instructions show an API request that will send prompts and job parameters to mega-api-prod.nemovideo.ai using $NEMO_TOKEN. The SKILL.md does not explain upload mechanics (how the video bytes are uploaded or how the generate endpoint finds the uploaded file), nor does it describe token acquisition, scopes, or where processed video URLs are hosted. The instructions do not ask to read unrelated local files, but the presence of a config path in SKILL.md metadata (see environment_proportionality) suggests additional behavior that is not documented.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes disk footprint and is proportionate to a simple API-integration skill.
!
Credentials
Requiring a single service token (NEMO_TOKEN) is reasonable for a cloud API. However the registry lists no required env vars while the SKILL.md metadata sets primaryEnv: NEMO_TOKEN and a configPaths entry (~/.config/nemovideo/). The mismatch between the registry and the SKILL.md metadata (and the "No account" claim) is inconsistent. The config path implies possible access to local config files which is not explained or justified.
Persistence & Privilege
always:false and normal user-invocable/autonomous invocation settings. The skill does not request elevated persistence or to modify other skills; no 'always' privilege concerns.
What to consider before installing
Before installing or providing credentials, ask the skill author (or documentation) to clarify: 1) Do you really require an account/token? How is NEMO_TOKEN obtained and what scopes/permissions does it grant? 2) How are videos uploaded (direct multipart upload, presigned URL, or embedded in API calls)? Where are processed videos stored and how long are they retained? 3) Why does SKILL.md include a local config path (~/.config/nemovideo/) — will the skill read or write local files? 4) Request privacy/retention and encryption policies for uploaded media. If you must use the skill, prefer a scoped API key with minimal privileges, do not reuse high-value credentials, and avoid uploading highly sensitive footage until the above questions are answered. If the documentation remains inconsistent (no-account claim vs token usage and unexplained config paths), treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97329dzh105gta12xww6b1ccn83ts7k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌐 Clawdis
Primary envNEMO_TOKEN

Comments