ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Video Frames

v1.0.0

extract video clips into exported frame images with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. YouTubers, video editors, content creators...

0· 57·0 current·0 all-time
by@tk8544-b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (remote GPU-based frame extraction) align with the runtime instructions: all interactions target a video-processing API (mega-api-prod.nemovideo.ai) and the skill requests a single NEMO_TOKEN which is the expected credential for that service.
Instruction Scope
SKILL.md describes only API calls (session creation, upload, SSE chat, export polling) and uploading user videos to the stated domain — behavior fits the stated purpose. However, instructions also tell the agent to 'save session_id' and to make a generated anonymous token become your NEMO_TOKEN; that phrasing is ambiguous about where/ how credentials are persisted. The frontmatter also requires a config path (~/.config/nemovideo/) not shown in the registry metadata, which is a scope mismatch that should be clarified.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lower-risk pattern for skills, assuming runtime actions remain limited to the described API.
Credentials
Only one credential (NEMO_TOKEN) is declared as required and is appropriate for a remote API service. But the SKILL.md frontmatter references a config path (~/.config/nemovideo/) which would grant access to a user config directory; the registry metadata reported no required config paths. This inconsistency could mean the skill expects to read/write files on disk to persist tokens — a justified convenience but a privacy concern if not documented.
Persistence & Privilege
always:false and no install scripts reduce privilege. Still, the skill explicitly asks the agent to 'save session_id' and to set a generated token as NEMO_TOKEN; combined with the frontmatter config path, this implies potential persistence of credentials/session state on the host. The skill does not request elevated system privileges, but you should confirm where session/token data are stored and for how long.
What to consider before installing
Before installing or using this skill: (1) Verify the service domain and operator (there's no homepage or source repo listed). (2) Confirm how and where tokens/session IDs are stored — the SKILL.md suggests persisting tokens and the frontmatter references ~/.config/nemovideo/, but the registry metadata disagrees. If you prefer, use the anonymous-token flow rather than placing a long-lived token in your environment. (3) Understand privacy: videos must be uploaded to the provider — confirm retention, sharing, and deletion policies before uploading sensitive content. (4) Test with a harmless small clip first to see whether tokens or session files appear on disk. (5) If you need stronger assurance, ask the author for source code or documentation and for clarification about the config path and token persistence. If you cannot verify those points, avoid using this skill for confidential material.

Like a lobster shell, security has layers — review code before you run it.

latestvk974sm1mc2cvxht2xs1ykm6mc184nc1x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎞️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments