ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Unified Video

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — combine all clips into one seamless video with smooth transitions — and ge...

0· 53·0 current·0 all-time
by@tk8544-b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is described as a cloud video merging service and its runtime instructions call a remote rendering API and upload media — that is coherent. However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that the registry metadata did not list; this mismatch is unexplained.
Instruction Scope
Instructions are explicit about uploading files, creating sessions, streaming SSE, polling render status, and attaching attribution headers. The agent is told to read this skill's YAML frontmatter and detect install path to set X-Skill-Platform — which requires filesystem access. No other unrelated files or secrets are requested, but the skill will send user-uploaded media to an external API (mega-api-prod.nemovideo.ai).
Install Mechanism
No install spec or code is included (instruction-only). Nothing is written to disk by an installer, which minimizes supply-chain risk.
!
Credentials
The skill declares NEMO_TOKEN as the primary credential (expected for a cloud API). But the SKILL.md also instructs the agent to request an anonymous token from the same API if NEMO_TOKEN is absent — and the frontmatter lists a config path (~/.config/nemovideo/) that could imply reading/writing local config. The registry metadata earlier listed no config paths, creating an inconsistency. The required credential and anonymous-token flow are plausible but you should confirm whether the skill will persist tokens or write config files locally and whether the config path is actually used.
Persistence & Privilege
The skill does not request always:true, has no install hooks, and uses ephemeral session tokens. It keeps session_id for ongoing jobs but does not request system-wide privileges.
What to consider before installing
This skill appears to implement a remote video-merge service and will upload files to mega-api-prod.nemovideo.ai; that behavior is expected for this purpose. Before installing or using it: (1) Confirm the source/owner and ask for a privacy policy and data retention policy — do not upload sensitive or private videos until you know where they are stored and for how long. (2) Ask whether the skill will write anything to ~/.config/nemovideo/ or persist the anonymous token; prefer ephemeral tokens and explicit user consent for persistent storage. (3) Note the skill can auto-create an anonymous NEMO_TOKEN if none is provided — this is convenient but means uploads can proceed without you supplying a token. (4) If you need stronger guarantees, request a documented API endpoint list, TLS/CA expectations, and whether media is encrypted at rest. The metadata inconsistency (declared configPath in SKILL.md vs. registry showing none) is why I marked this suspicious rather than benign; if the developer confirms no local config access and provides a privacy policy, confidence could be raised.

Like a lobster shell, security has layers — review code before you run it.

latestvk971xxtbtxdzpbws1qk6sva8dx84nppp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments