ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Gratuit

v1.0.0

edit video clips into free edited videos with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. casual creators and students use it for editing a...

0· 19·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to perform cloud video editing and its network endpoints and upload instructions align with that purpose. However, registry metadata declares no required config paths while the skill's YAML frontmatter lists ~/.config/nemovideo/ as a config path. Also the registry marks NEMO_TOKEN as required even though the runtime flow auto-provisions an anonymous token if none is present — this mismatch is inconsistent and should be clarified.
Instruction Scope
SKILL.md instructs the agent to upload user video files (multipart or by URL) to nemovideo API endpoints and to poll render status via SSE — which is expected for this service. It also instructs generating an anonymous token (POST to /api/auth/anonymous-token), storing session_id, and deriving attribution headers from YAML frontmatter and the agent's install path. The install-path based header derivation implies the agent would read its filesystem/install location to set X-Skill-Platform; that is a scope expansion beyond pure API calls and should be explicit to the user.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; there is no package download or archive extraction. No filesystem writes are explicitly required by an installer, lowering installation risk.
Credentials
The only credential declared is NEMO_TOKEN (primaryEnv), which is appropriate for an external API. But the skill both lists NEMO_TOKEN as required and gives a flow to auto-create an anonymous token if it's missing — that's inconsistent. The YAML also references a config path for storing state; it's unclear whether long-lived credentials or session tokens will be written there. The skill does not request unrelated credentials, which is good.
Persistence & Privilege
The skill instructs storing a session_id and implies persistent config under ~/.config/nemovideo/ (per YAML), so it may persist tokens/session state locally. It does not request 'always: true' or other elevated platform privileges. Persisting tokens is reasonable for a client session but the exact storage location and lifecycle (where/how tokens are stored, how to clear them) are not specified.
What to consider before installing
This skill will upload your videos and related edit requests to an external service (mega-api-prod.nemovideo.ai). Before installing, confirm: (1) whether NEMO_TOKEN is actually required or will always be auto-created, (2) where session tokens and any credentials are stored on disk (the YAML mentions ~/.config/nemovideo/), and how you can delete them, (3) the service's privacy and data-retention policy for uploaded videos, and (4) whether deriving X-Skill-Platform by reading install paths is necessary and acceptable in your environment. If you do not want your videos or metadata sent to a third party, do not enable this skill. The mismatches between registry metadata and the SKILL.md (env/config requirements) are explainable but should be clarified by the publisher before trust.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dhy17pq4dc0y37t3y121f9n852gg5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments