Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Editing With Unlimited
v1.0.0Cloud-based video-editing-with-unlimited tool that handles editing and exporting videos without render or export limits. Upload MP4, MOV, AVI, WebM files (up...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (cloud video editing/export) matches the API endpoints and the single credential (NEMO_TOKEN). This credential is proportionate. However, the SKILL.md's YAML metadata lists a config path (~/.config/nemovideo/) that the registry metadata did not declare — a mismatch that suggests either outdated registry metadata or an instruction to touch a local config directory that wasn't advertised.
Instruction Scope
Instructions are primarily API calls to nemovideo.ai and are consistent with a cloud editing workflow. Concerns: (1) the skill tells the agent to detect install path (~/.clawhub/, ~/.cursor/skills/) to set an X-Skill-Platform header — this requires probing the filesystem and is not strictly needed for editing. (2) The YAML metadata in SKILL.md lists a config path, implying persistence to ~/.config/nemovideo/ (the registry top-level said none). The instructions also instruct saving session_id and tokens but do not specify where — raising the risk of local persistence without clear user consent.
Install Mechanism
No install spec and no code files; the skill is instruction-only. That minimizes installation risk because nothing is written to disk by an installer. The main runtime actions are outgoing HTTPS calls to the service domain.
Credentials
Only one env var is required (NEMO_TOKEN), which is appropriate for an API-backed video service. However, the SKILL.md both accepts an existing NEMO_TOKEN and documents obtaining an anonymous token via the API; the metadata's declared config path (~/.config/nemovideo/) implies the skill may persist tokens or session state locally — this was not declared in the registry summary and should be clarified.
Persistence & Privilege
The skill does not request always:true and uses normal autonomous invocation. The potential concern is local persistence: SKILL.md metadata and instructions imply saving session tokens/session IDs (and the config path in YAML) but the registry listing did not advertise any config-path requirement. Probing install paths to set headers is another form of local inspection. Combined, these indicate the skill may read or write local config state beyond what was declared.
What to consider before installing
This skill appears to be a legitimate cloud video-editing integration, but there are a few inconsistencies you should confirm before installing or providing credentials: 1) Confirm where the skill will store session tokens or anonymous tokens (it references ~/.config/nemovideo/ in its SKILL.md but the registry did not). If it will write to that path, ask for specifics and whether it respects permissions. 2) Ask why the skill needs to probe install paths (~/.clawhub/, ~/.cursor/skills/) to set an attribution header — this requires filesystem access and seems unnecessary. 3) Only provide a NEMO_TOKEN you control and can revoke; avoid using long-lived system credentials. 4) Verify the service domain (mega-api-prod.nemovideo.ai) and request a privacy/retention policy for uploaded videos. If the vendor/source cannot explain the config-path discrepancy and token persistence behavior, treat the skill with caution or avoid installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97ddrgtasgy9m7ww511w3195n84mqms
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN