ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Easy Ai Video Editor

v1.0.0

casual creators and social media users edit raw video footage into polished edited clips using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders o...

0· 57·0 current·0 all-time
by@tk8544-b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (cloud AI video editing) reasonably explains needing an API token for a backend. However the registry metadata asserts NEMO_TOKEN is required while the SKILL.md includes a full anonymous-token acquisition flow (so an env var isn't strictly necessary). The frontmatter in SKILL.md also lists a config path (~/.config/nemovideo/) that the registry metadata did not list — there's an inconsistency between declared requirements and what the instructions reference.
!
Instruction Scope
Instructions perform normal API interactions for uploads, SSE, polling and rendering (expected). But they also instruct the agent to detect install path (checking ~/.clawhub, ~/.cursor/skills) to set an X-Skill-Platform header and reference reading this file's YAML frontmatter and a local config path (~/.config/nemovideo/). Detecting/reading arbitrary paths in the user's home directory is outside the minimal scope of 'upload and edit this video' and raises privacy/scope concerns.
Install Mechanism
There is no install spec and no code files — this is an instruction-only skill. That minimizes disk-write/remote-install risk.
Credentials
The primary credential requested is NEMO_TOKEN which is proportionate to a cloud-rendering service. However the SKILL.md provides an anonymous-token acquisition flow if NEMO_TOKEN is missing, making the registry's declaration that NEMO_TOKEN is required misleading. The frontmatter references a config path (~/.config/nemovideo/) which could imply reading user files; that wasn't declared in the registry metadata and should be clarified.
Persistence & Privilege
The skill is not 'always: true' and does not request elevated persistent privileges. Autonomous invocation (model invocation enabled) is the platform default and is not, by itself, a red flag. The skill does mention session state and orphaned jobs but does not request system-wide config changes.
What to consider before installing
This skill appears to implement cloud-based video editing and will upload user videos to mega-api-prod.nemovideo.ai and use a NEMO_TOKEN for authorization. Before installing: (1) confirm you are comfortable sending videos (and any sensitive content they contain) to that external service and review that service's privacy/retention policy; (2) note the SKILL.md instructs the agent to detect/read paths in your home directory (~/.clawhub, ~/.cursor/skills, ~/.config/nemovideo/) — ask the author to explain why those checks are needed or remove them if unnecessary; (3) be aware the registry claims NEMO_TOKEN is required but the skill can fetch an anonymous token itself — decide whether to provide your own token or let it use an ephemeral one; (4) if you need tighter control, consider giving a limited/throwaway token or testing with non-sensitive videos first. The inconsistencies are probably explainable but warrant clarification before trusting the skill with private data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97576z0zg5dapbsbbd7pxz5x584kw70

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments