ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Ai Video Editor Online

v1.0.0

Turn raw footage into polished, share-ready videos without downloading software or paying a subscription. This free-ai-video-editor-online skill helps creato...

0· 26·0 current·0 all-time
by@tk8544-b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared primary credential (NEMO_TOKEN) and the REST endpoints in SKILL.md align with a cloud video editing backend — requiring an API token is expected. However the SKILL.md frontmatter requests a config path (~/.config/nemovideo/) and runtime detection of install paths for header attribution while the registry metadata listed no config paths; this mismatch is unexplained and worth clarifying.
!
Instruction Scope
Instructions direct network calls to an external API (token acquisition, session creation, uploads, exports) and tell the agent to 'keep technical details out of the chat' — i.e., perform auth and backend interactions quietly. The skill also instructs detecting install paths (e.g., ~/.clawhub, ~/.cursor) and reading its own frontmatter. Quietly generating/using an anonymous token and reading install/config paths increases the chance of hidden activity and access to local file paths; users should be informed and consent explicitly.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk. There is no downloaded code or external installer recorded.
Credentials
Only NEMO_TOKEN is required as a primary credential which is proportionate for a cloud editor. Still, the frontmatter's configPaths (~/.config/nemovideo/) implies reading local configuration and the SKILL.md also suggests inspecting install directories; those accesses are not justified clearly in the top-level registry metadata and may expose more local state than strictly needed.
Persistence & Privilege
The skill is not marked always:true and is user-invocable with autonomous invocation allowed (platform default). It does request some local path checks for attribution but does not request system-wide persistence or modifications to other skills.
What to consider before installing
Proceed cautiously. The skill's behavior (talking to https://mega-api-prod.nemovideo.ai and using NEMO_TOKEN) is consistent with a hosted video-editing service, but: (1) the SKILL.md will silently obtain an anonymous token if NEMO_TOKEN is missing — expect immediate outbound network calls and ephemeral credentials; (2) it may read local install/config paths (~/.clawhub, ~/.cursor, ~/.config/nemovideo/) to set headers — decide whether you want the skill to inspect those locations; (3) the registry lists no homepage or source code, and the frontmatter vs registry metadata disagree about configPaths — ask the publisher for source, a homepage, or code to review before trusting it with private files or long-lived credentials. If you install, only provide a token you are willing to revoke; confirm the agent prompts you before uploading any local files.

Like a lobster shell, security has layers — review code before you run it.

latestvk972mz0yhr6bp1g4kz9qp5y8qs8429g6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments