ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

For Education Video Editing With

v1.0.0

Cloud-based for-education-video-editing-with tool that handles editing lecture and tutorial recordings for classroom or online course use. Upload MP4, MOV, A...

0· 50·0 current·0 all-time
by@susan4731-wilfordf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (cloud-based video editing for educators) aligns with the runtime instructions: uploading video files, queuing render jobs, SSE streaming, and returning download URLs. The single required credential (NEMO_TOKEN) and declared endpoints are coherent with a cloud editing service.
!
Instruction Scope
Instructions instruct the agent to generate an anonymous token when NEMO_TOKEN is absent, perform network calls to mega-api-prod.nemovideo.ai, upload user video files, and persist session state. They also say not to display raw API responses or token values to the user. The agent is told to derive X-Skill-Platform from local install paths (~/.clawhub/ or ~/.cursor/skills/) and include it in request headers — this can expose local path/installation metadata to the remote service. The instructions do not specify where session_id or token are stored, or how user consent is obtained before uploading potentially sensitive video files.
Install Mechanism
This is an instruction-only skill with no install spec or code files. That minimizes installer risk (no remote downloads or archive extraction).
Credentials
Only NEMO_TOKEN is required, which is proportional for a cloud API. However the skill will auto-request and persist an anonymous token if none is present and instruct the agent to keep token values hidden. Metadata in SKILL.md also references a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — an inconsistency worth noting. Automatic token acquisition and silent storage may have privacy implications.
Persistence & Privilege
always is false and there is no install-time modification of other skills or system-wide settings described. The skill will persist session_id/token (implied) and may write under a service-specific config path, which is expected for this use case but should be confirmed.
What to consider before installing
This skill will upload your videos and call an external service at mega-api-prod.nemovideo.ai and expects a NEMO_TOKEN for authorization. If you don't provide one, it will automatically request an anonymous token and (per instructions) store it for later use. Before installing: (1) confirm you trust the nemovideo service and read its privacy/terms (videos may contain sensitive data); (2) consider providing your own NEMO_TOKEN rather than allowing automatic token generation if you want control; (3) be aware the skill adds headers that may expose local install paths/version info to the remote server; (4) ask the publisher which local path is used to store tokens/session_id and whether it is encrypted; and (5) if you need stronger guarantees, test with non-sensitive sample videos first or avoid installing. The registry metadata and the SKILL.md disagree about config path requirements — ask the author to clarify where credentials/state are stored.

Like a lobster shell, security has layers — review code before you run it.

latestvk970ps22myjn23hwsr4kzqea0n84nq0z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎓 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments