ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Editor With Ai Enhancer

v1.0.0

edit raw video footage into AI-enhanced video with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators and social media marketers...

0· 15·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's declared purpose (remote AI video editing) aligns with the network calls and the single required credential (NEMO_TOKEN). However, the SKILL.md frontmatter also references a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch is unexplained and inconsistent.
!
Instruction Scope
Instructions direct uploading users' video files to an external API (expected for this purpose) but also instruct the agent to "Keep the technical details out of the chat," which encourages hiding backend activity from users. The SKILL.md also references using local file paths (multipart '@ /path') and auto-detecting install path for a header value — instructions that may be ambiguous or impossible depending on runtime and that broaden what the agent may try to access.
Install Mechanism
No install spec and no code files (instruction-only) — lowest-risk installation surface. Nothing is downloaded or written to disk by the skill itself.
Credentials
Only a single credential (NEMO_TOKEN) is declared, which is appropriate for an API-backed video service. The SKILL.md's anonymous-token flow (POST to obtain a short-lived token) is consistent with giving the agent API access, but requires network calls that will expose user-uploaded media. The extra configPath in the SKILL.md frontmatter is not justified by the registry metadata and raises a minor proportionality question.
Persistence & Privilege
always is false and the skill does not request system-wide changes. It creates sessions on a remote service only. Autonomous invocation is enabled by default (normal) but not combined with unusually broad permissions here.
What to consider before installing
This skill appears to perform remote AI video editing and reasonably needs an API token and the ability to upload files — that part is coherent. Things to consider before installing: (1) The skill will upload your videos to https://mega-api-prod.nemovideo.ai — do not send sensitive or private footage unless you trust the service and have reviewed its privacy/security policy. (2) SKILL.md tells the agent to "Keep the technical details out of the chat," which reduces transparency about what is sent and when — ask the publisher why that is necessary. (3) There is an inconsistent reference to a local config path in the skill frontmatter; confirm whether the skill actually needs local files or config access. (4) Because this is an instruction-only skill with no homepage or publisher info, prefer testing with a short non-sensitive clip first and verify where uploads go and how tokens are handled. If you need stronger guarantees, request the publisher's documentation, a privacy policy, or prefer a skill from a known/trusted source.

Like a lobster shell, security has layers — review code before you run it.

latestvk970fxtzbjkp5rmm0rws6gbj7184rydd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments