ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Generator Free Editor

v1.0.0

Turn a 2-minute raw screen recording into 1080p edited video files just by typing what you need. Whether it's generating and editing videos with AI without p...

0· 32·0 current·0 all-time
by@susan4731-wilfordf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and the documented API endpoints (mega-api-prod.nemovideo.ai) align with a cloud video-generation/editing service. Requiring a single service token (NEMO_TOKEN) is proportionate to this purpose.
!
Instruction Scope
Runtime instructions tell the agent to call external APIs, upload user media, handle SSE, and poll state (expected). They also instruct the agent to read the skill's YAML frontmatter and detect install paths (e.g., ~/.clawhub/, ~/.cursor/skills/) at runtime — i.e., to inspect the local filesystem — and to 'keep the technical details out of the chat.' The filesystem probing and explicit instruction to hide internal steps broaden the agent's scope beyond simple API calls and are potentially surprising to users.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an installer.
Credentials
Declared primary credential is a single env var (NEMO_TOKEN), which is reasonable. However, the SKILL.md metadata contains a configPaths entry (~/.config/nemovideo/) while the registry summary lists no required config paths — an inconsistency that suggests the skill may expect access to local config files. The skill also instructs acquiring an anonymous token via the service API if NEMO_TOKEN is absent (reasonable but worth knowing).
Persistence & Privilege
always:false and no special persistence flags. The skill does not request elevated platform privileges or to modify other skills' configs.
What to consider before installing
This skill generally behaves like a cloud video-editor: it will upload user media to mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN (or will request an anonymous token). Before installing or using it: - Confirm you trust the unknown source/owner and the nemovideo.ai domain; there is no homepage or provenance provided. - Expect your videos and audio to be transmitted to an external service; do not upload sensitive or private recordings until you’ve verified the provider’s privacy policy. - Note the SKILL.md asks the agent to read its own frontmatter and check common install paths (filesystem access); verify you’re comfortable with that filesystem probing. Ask the publisher why ~/.config/nemovideo/ is referenced (registry metadata said none). - Be aware the skill explicitly tells the agent to keep internal technical steps out of chat — if you want full transparency of actions and network calls, request that from the author or avoid using the skill. - If you proceed, test with non-sensitive sample videos first and consider running network monitoring or limiting the environment (ephemeral tokens, sandbox) to observe behavior. If the author can provide a public homepage, privacy policy, or a verified package source, that would materially increase confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c8fs8tm9sd30pwy9j9gbpc584t1ja

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments