ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Editor Capcut

v1.0.0

edit raw video clips into edited MP4 clips with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. TikTok creators use it for automatically editin...

0· 45·0 current·0 all-time
by@susan4731-wilfordf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (AI video editing, MP4 exports up to 500MB) aligns with the runtime instructions and API endpoints (upload, render, export). Requesting a single API token (NEMO_TOKEN) is proportionate. However, SKILL.md metadata lists a config path (~/.config/nemovideo/) while the registry summary indicated no required config paths — this mismatch is inconsistent and worth noting.
Instruction Scope
The SKILL.md instructs the agent to: use NEMO_TOKEN if present, otherwise obtain an anonymous token from https://mega-api-prod.nemovideo.ai, create sessions, upload user video files, drive SSE chat/edit workflow, poll render status, and return download URLs. Those actions are within scope for a cloud video editor, but they explicitly send user media and session state to a third-party API and require constructing attribution headers. The instructions do not ask to read unrelated system files or other credentials, but they do imply storing/reading session data and possibly using the local config path in metadata.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing will be downloaded or written by an installer step. That minimizes install-time risk.
Credentials
Only one environment variable is required (NEMO_TOKEN), which is appropriate for a remote API. The SKILL.md also documents an anonymous-token fallback flow that posts a UUID to the vendor’s auth endpoint. The presence of a declared config path (~/.config/nemovideo/) in the skill metadata suggests the skill may persist tokens or session data locally — the registry metadata contradicted this, so verify whether tokens will be stored on disk and where.
Persistence & Privilege
The skill does not request always: true and is user-invocable. It does not declare system-wide configuration changes or access to other skills' credentials. Autonomous invocation is allowed (the platform default) but not combined with unusual privileges here.
What to consider before installing
This skill appears to do what it says — it uploads videos to a cloud API (mega-api-prod.nemovideo.ai) and returns edited MP4s. Before installing or using it, consider: 1) Do you trust nemovideo.ai with the videos you will upload? Sensitive content should not be sent. 2) The skill may store tokens or session data under ~/.config/nemovideo/ (SKILL.md metadata) even though the registry listed no config paths — ask the publisher or inspect where tokens are stored. 3) If you don’t provide a NEMO_TOKEN, the skill will obtain an anonymous token from the vendor (100 free credits, 7-day validity) — this means your files and job metadata will still go to the vendor. 4) There are no installer scripts, but the skill will transmit data over the network; review the vendor’s privacy/terms if available. 5) If you need stronger assurance, request the skill’s provenance (source code or official homepage) or a justification for the config path discrepancy before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a85qmqkah986k4ra9aerxeh84ss8g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments