Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Editing Ai Tools
v1.0.0Turn raw footage into polished, publish-ready content with AI-powered guidance built around video-editing-ai-tools workflows. Get instant recommendations on...
⭐ 0· 25·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (AI video-editing assistant) align with needing an API token (NEMO_TOKEN) and a config path (~/.config/nemovideo/). Declared requirements (single service token) are proportional to the stated functionality. Minor inconsistency: frontmatter claims processing happens 'without pushing raw footage through the API' while the API reference includes a multipart file upload endpoint.
Instruction Scope
The SKILL.md instructs the agent to automatically obtain an anonymous token by POSTing to an external endpoint if NEMO_TOKEN isn't set, create and store sessions, and to avoid showing raw API responses or token values to the user. It also instructs reading the skill's YAML frontmatter and detecting install path to set attribution headers. These runtime instructions could lead to automatic network calls, storage of credentials/session IDs, and uploading local files (multipart upload example). The combination of 'hide token values' plus automatic token acquisition and session storage increases the risk that secrets or user data are handled without explicit user review. The upload endpoint and examples permit sending local files, contrary to the claim about not pushing raw footage.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk; nothing will be written to disk by an installer. However, runtime behavior (network calls, optional storing of session_id / config under ~/.config/nemovideo/) is still possible via the agent's normal execution.
Credentials
Only a single credential (NEMO_TOKEN) is required, which is proportionate for a cloud-backed editing service. The skill's metadata also references a config path under ~/.config/nemovideo/ which may be used to persist tokens or session data; this is plausible but worth verifying. No unrelated secrets or broad environment access are requested.
Persistence & Privilege
always:false (normal). The skill expects to create and reuse a session_id and store it for subsequent requests—this is reasonable for a session-based API but implies persistent data in the user's config directory. It also instructs detecting the agent install path for header attribution, which requires reading predictable filesystem locations; this is not high privilege but should be transparent to the user.
What to consider before installing
Key things to consider before installing: (1) Source verification: this skill has no homepage and an unknown owner — confirm the provider before trusting network activity. (2) Network behavior: the skill will call https://mega-api-prod.nemovideo.ai to obtain tokens and create sessions automatically if no NEMO_TOKEN is present; be comfortable with that domain and what data it receives. (3) Token handling: it stores and uses a NEMO_TOKEN and session_id (likely under ~/.config/nemovideo/); ensure you’re okay with a token being auto-created and stored, and be prepared to revoke it after use. (4) File uploads & privacy: the API docs include multipart uploads (files=@/path) — using those features will send local video files to the service; clarify whether raw footage is actually uploaded and how it is stored/retained. (5) Transparency: the SKILL.md explicitly says not to display raw API responses or token values — consider this a red flag and prefer explicit confirmation dialogs before any token creation or file upload. (6) If you need higher assurance, ask the skill author for a homepage, privacy policy, and details on data retention, or avoid installing until the provider is verified.Like a lobster shell, security has layers — review code before you run it.
latestvk972r529dqjrdvt7egkn61keg5843wx5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN