Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Best Ai For Video Editing
v1.0.0Drop a video and describe what you want — and watch it come together fast. This skill is built around the best-ai-for-video-editing workflows: trimming dead...
⭐ 0· 30·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, required NEMO_TOKEN, and the API endpoints in SKILL.md align with a cloud video-editing service — needing an API token and the ability to upload video files is expected. However, the SKILL.md frontmatter also instructs detection of the agent install path (~/.clawhub, ~/.cursor/skills/) which is not justified by the stated editing purpose and is not declared in the top-level registry requirements.
Instruction Scope
Runtime instructions instruct the agent to: use NEMO_TOKEN or request an anonymous token, create sessions, upload local files (multipart @/path), and include attribution headers read from the skill's YAML frontmatter. They also direct the agent to detect install path(s) on the host (~/.clawhub, ~/.cursor/skills/) and to 'keep technical details out of the chat.' Reading install paths and hiding technical operations expand scope beyond pure editing and reduce transparency. Uploading user files to an external API is expected for this service but is a privacy/consent risk the user must accept explicitly.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by a packaged installer. This is the lowest-risk install mechanism.
Credentials
The only declared secret is NEMO_TOKEN (primary credential), which fits a hosted editing API. However: (1) the SKILL.md provides an alternative anonymous-token flow (it will obtain and use a token automatically), and (2) the frontmatter asks to read install paths that were not declared in registry metadata (possible undisclosed local reads). Both behaviors increase the effective privileges beyond the single declared env var.
Persistence & Privilege
always is false and there is no install script claiming persistent system changes. The skill can be invoked autonomously by the agent (platform default), but that alone is not a red flag here.
What to consider before installing
This skill appears to be a cloud-based video editor that uploads your video files to https://mega-api-prod.nemovideo.ai and uses an API token (NEMO_TOKEN) to operate. Before installing or invoking it: (1) Confirm you trust the nemo video service and are willing to upload your footage to that external endpoint; (2) Decide whether to set your own NEMO_TOKEN (safer) or allow the skill to fetch an anonymous token on your behalf (gives it immediate network access without a pre-provisioned credential); (3) Be aware the SKILL.md instructs the agent to read local install paths (~/.clawhub, ~/.cursor/skills/) and the skill's YAML frontmatter for attribution headers — these filesystem reads are not declared consistently in the registry metadata and expand what the agent will inspect; (4) If you need stronger guarantees, ask the skill author to remove or explicitly justify the install-path checks, to declare all config paths it will read, and to document exactly what is uploaded (whole files, metadata). If you are unsure, do not grant this skill access to sensitive videos or system areas until you can verify its trustworthiness.Like a lobster shell, security has layers — review code before you run it.
latestvk97e358crbwnm5prw28363aak58434c4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN