ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Video Editor Free

v1.0.0

Tired of hitting paywalls every time you try to edit your YouTube videos? The youtube-video-editor-free skill helps creators trim clips, add captions, adjust...

0· 34·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims a cloud-backed, free YouTube editing workflow and declares a single primary credential (NEMO_TOKEN) for a remote processing API (nemovideo.ai). The declared env var and the documented API endpoints are consistent with the stated purpose (server-side edits, uploads, exports).
!
Instruction Scope
The SKILL.md instructs the agent to read/create a UUID at ~/.config/youtube-video-editor-free/client_id, to detect install paths (~/.clawhub, ~/.cursor/skills), and to upload user files via multipart to the external API. The skill registry metadata did not declare required config paths; the runtime behavior therefore accesses the filesystem and user files without those accesses being declared. Uploading arbitrary local files to an external service and writing a client_id file are significant actions that should be explicit in metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written by an installer. That limits installer risk.
Credentials
Only one credential (NEMO_TOKEN) is required, which is proportionate to a cloud API-based editor. However, the skill also reads/writes a client_id file in the user's home config and reads install paths — those config accesses were not declared in requires.config. Users should understand NEMO_TOKEN gives bearer access to the remote processing service and can be used to upload and process video files.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide privileges. Its runtime instructions do ask to create/read ~/.config/youtube-video-editor-free/client_id and to save session_id, which is limited persistence for this skill only; it does not modify other skills or global agent settings.
What to consider before installing
Before installing or enabling this skill, consider these steps: (1) Verify the remote API domain (mega-api-prod.nemovideo.ai) and the service's privacy policy/owner — the skill's source and homepage are unknown. (2) Understand that the skill will create/read ~/.config/youtube-video-editor-free/client_id and will upload files you provide (or URLs) to that external API using a bearer token (NEMO_TOKEN). Treat NEMO_TOKEN like a secret: only use a dedicated or throwaway token if you want to limit exposure. (3) If you plan to upload sensitive footage, do not use this skill until you confirm where data is stored/processed and for how long. (4) Ask the skill author to declare required config paths in metadata and to provide an official homepage or source repository. (5) If you want to trial safely, run interactions in an isolated environment or provide non-sensitive test files and a temporary token.

Like a lobster shell, security has layers — review code before you run it.

latestvk97886z5mbzmve3d8x3b1n2nbs841mwk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments