ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Editor Canva

v1.0.0

Get polished branded videos ready to post, without touching a single slider. Upload your images or clips (MP4, MOV, PNG, JPG, up to 500MB), say something lik...

0· 34·0 current·0 all-time
by@tk8544-b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (Canva‑style cloud video editor) align with the API calls and workflows in SKILL.md. Requiring a single service token (NEMO_TOKEN) is expected. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — a mismatch in declared requirements and metadata that should be clarified.
Instruction Scope
Runtime instructions stick to the stated purpose: create sessions, upload user media, stream SSE edits, poll render status, and return download URLs. They explicitly tell the agent to POST files (multipart -F "files=@/path") which implies reading user-supplied file paths or attachments — expected for an upload flow, but worth noting because user data will be transmitted to the vendor cloud. The instructions also ask the agent to detect an install path to set an attribution header; that implies filesystem inspection of the agent environment (minor scope creep).
Install Mechanism
No install spec or code files — instruction-only skill. This is the lowest-risk install model because nothing is written to disk by the skill bundle itself.
Credentials
The only required environment credential is NEMO_TOKEN, which is proportionate to calling the described API. The skill also documents generating an anonymous token via an API (100 credits, 7‑day expiry) if no token exists — that behavior is plausible but means the agent may persist and reuse a token representing credits/billing. The SKILL.md includes a config path in its metadata which wasn't reflected in registry-level 'required config paths' — verify whether the skill will read or write ~/.config/nemovideo/ and what it stores there. No other unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does not instruct modifying other skills or system-wide configuration (beyond possibly storing the session/token), so persistence/privilege requirements appear reasonable.
What to consider before installing
This skill appears to be a straightforward cloud-based video editor that uploads your media to nemovideo.ai and uses a NEMO_TOKEN Bearer token for API calls. Before installing: - Confirm you trust the vendor (no homepage or publisher info is provided here). - Understand that any files you upload will be sent to the vendor's servers — do not upload sensitive personal or corporate files without verifying privacy and retention policies. - The skill can generate an anonymous token and may persist it (100 credits, 7‑day expiry). Check where tokens/sessions will be stored (SKILL.md references ~/.config/nemovideo/) and whether that differs from registry metadata. - Verify billing/credits implications for your account if you provide a long‑lived NEMO_TOKEN. - Test first with dummy/non-sensitive media and monitor network requests if you can. If you need assurance, ask the publisher for a homepage, documentation, or source code before granting credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9785bsnbdfxc9pj2zbf2w1yb584tp64

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments