ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Editor With Ai Assistant

v1.0.0

Get polished edited clips ready to post, without touching a single slider. Upload your raw video footage (MP4, MOV, AVI, WebM, up to 500MB), say something li...

0· 39·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's declared purpose (cloud AI video editing) aligns with the single required credential (NEMO_TOKEN) and the API endpoints in SKILL.md. However, the skill frontmatter asks for a config path (~/.config/nemovideo/) while the registry metadata listed none — this mismatch is unexplained and could indicate unstated file access or storage behavior.
Instruction Scope
Instructions stay within video-editing operations (session creation, SSE streaming, uploads, exports). They explicitly describe generating an anonymous token by POSTing to an external endpoint if NEMO_TOKEN is unset, uploading user files via multipart, and polling job status. Points of ambiguity: where and how session_id or tokens are persisted is unspecified, and the SKILL.md expects an 'install path' auto-detection to set X-Skill-Platform (there is no install step). Those gaps could lead to different implementations that read/write user config or infer paths unexpectedly.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk (nothing is automatically downloaded or written by an installer).
Credentials
Requesting a single NEMO_TOKEN credential is proportionate for a cloud editing service. Caveats: the frontmatter's configPaths implies the skill may read/write ~/.config/nemovideo/, and SKILL.md instructs auto-creating and (implicitly) storing anonymous tokens. Both behaviors are reasonable for this purpose but are not declared consistently in the registry metadata and should be confirmed.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide modifications. Autonomous invocation is allowed (platform default) but not combined with elevated privileges in this package.
What to consider before installing
Before installing: 1) Confirm you trust the backend domain (mega-api-prod.nemovideo.ai) because any footage you upload will be sent there. 2) Decide whether to provide your own NEMO_TOKEN (preferred) rather than letting the skill auto-generate and store an anonymous token. 3) Ask the publisher where session tokens and metadata are stored (the SKILL.md hints at ~/.config/nemovideo/ but the registry entry doesn't declare it). 4) Be cautious about using this with sensitive video content (personal/confidential footage). 5) The package has no homepage or source listed — if you need higher assurance, request the developer/source code or more precise docs before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk972b6xvsmf6agh72800yhqczh84r1wm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments