Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Editor With Ai Captions
v1.0.0add video clips into captioned video files with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. YouTubers and social media creators use it for...
⭐ 0· 40·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description describe a cloud-based video captioning/export tool; the only declared credential (NEMO_TOKEN) is appropriate for a hosted API. However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata earlier said 'required config paths: none' — this mismatch is incoherent and should be clarified. The skill has no homepage or source, which reduces ability to verify the backend service.
Instruction Scope
Runtime instructions require using NEMO_TOKEN or automatically obtaining an anonymous token via network calls, uploading user video files to https://mega-api-prod.nemovideo.ai, and reading 'this file's YAML frontmatter' and the install path to set X-Skill-Platform. Reading install paths and frontmatter implies filesystem access beyond simple API calls and may expose local installation details. The skill will send user-supplied video/audio content to an external service — a substantial privacy action that should be made explicit to the user before upload. Automatic anonymous token acquisition means the agent will perform network auth without explicit user consent if NEMO_TOKEN is absent.
Install Mechanism
This is instruction-only with no install spec or code files, so nothing is written to disk by an installer. That lowers supply-chain risk, but runtime network/file operations still occur as described.
Credentials
Only NEMO_TOKEN is declared as required (primary credential), which matches the need to call a hosted API. However SKILL.md frontmatter references a config path (~/.config/nemovideo/) and instructions say to detect install path to set X-Skill-Platform — these imply additional filesystem reads not declared in the registry metadata. The anonymous-token fallback uses no secret but does perform network calls; this behavior should be explicit to users.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does instruct creating sessions and render jobs on the backend (normal for the task). Autonomous invocation is allowed by default (not flagged itself), which combined with automatic anonymous-token acquisition and file uploads increases the potential blast radius if misused.
What to consider before installing
This skill appears to perform cloud captioning and export, which requires uploading your video/audio to a third-party API (https://mega-api-prod.nemovideo.ai). Before installing or using it: (1) confirm you trust that remote service and its privacy policy — sensitive footage will leave your device; (2) prefer supplying your own NEMO_TOKEN rather than letting the agent auto-create an anonymous token (the skill will perform network auth automatically if NEMO_TOKEN is missing); (3) ask the publisher for source or homepage and clarify the conflicting metadata about config paths (~/.config/nemovideo/ is referenced in the skill but not declared in the registry metadata); (4) be aware the skill instructs reading install paths/frontmatter to set attribution headers (this requires filesystem access that you should be comfortable granting); (5) if you need stronger assurance, request the skill's source code or an official service page and test with non-sensitive sample videos first.Like a lobster shell, security has layers — review code before you run it.
latestvk973j85z91b2zb3a528ccb2aas84sjeh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN