ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clipchamp

v1.0.0

Turn a 2-minute screen recording or phone footage into 1080p polished edited videos just by typing what you need. Whether it's editing and exporting videos q...

0· 35·0 current·0 all-time
by@tk8544-b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description claim cloud-based AI video editing and the SKILL.md only asks for a single service token (NEMO_TOKEN) and details API endpoints for uploading, session creation, and exporting. Requiring NEMO_TOKEN is proportionate to the described remote-rendering capability.
Instruction Scope
The instructions explicitly direct the agent to upload user-provided video files and metadata to https://mega-api-prod.nemovideo.ai and to create/use session tokens. Uploading user files to an external service is expected for this purpose, but it is privacy-sensitive—video and any embedded audio/metadata will be transmitted. The skill also instructs the agent to read or infer install/config paths for attribution headers, which may require examining local paths or config files.
Install Mechanism
Instruction-only skill with no install spec or bundled code, so nothing is written to disk by an installer. This is the lowest-risk install model.
Credentials
Only NEMO_TOKEN is declared as required, which matches the API usage. However the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) even though the registry metadata lists no required config paths — small inconsistency. The anonymous-token flow is provided as a fallback if no token is present, which means the agent will call an auth endpoint to mint a short-lived token if needed.
Persistence & Privilege
always:false and no special system privileges are requested. The skill asks the agent to save session_id/token for the session (normal for a client). It does not request persistent/always-on inclusion or modification of other skills.
Assessment
This skill appears to be a thin client for a cloud video-rendering service and will upload any video files you give it to mega-api-prod.nemovideo.ai for processing. Before installing or using it: 1) Confirm you trust the external domain/owner (source is marked unknown). 2) Don't send sensitive or private footage unless you accept that it will be transmitted and stored/processed by that service. 3) If you don't have a NEMO_TOKEN, the skill will request an anonymous token from the service (creates a short-lived credential); be aware this still transmits a generated client id and may create records on the provider. 4) The SKILL.md suggests reading a local config path and install path to set attribution headers—verify whether your agent implementation will actually read those locations and whether that exposes anything sensitive. 5) If you need higher assurance, ask the skill author for the official source/repository or confirm the domain and ownership before granting token access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dp67dkd0wwswf3r7vb12axd84q7q1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments