ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Editor Tool

v1.0.0

edit raw video footage into polished edited clips with this ai-video-editor-tool skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators an...

0· 60·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's described functionality (upload video, edit on cloud GPUs, export MP4) aligns with the API endpoints and required NEMO_TOKEN. However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata listed none — this mismatch is unexplained and suggests the skill might expect filesystem access to a config directory.
!
Instruction Scope
Instructions explicitly tell the agent to upload user files and stream SSE from an external API (expected). Concerns: (1) headers are derived from install path detection (reading install path or environment), and (2) SKILL.md says to "Store the returned session_id" but doesn't specify scope or storage location (in-memory vs disk). The skill also instructs not to show raw tokens — workable, but ambiguous about persistence and local file access.
Install Mechanism
No install spec and no code files (instruction-only). This minimizes on-disk code risk — the skill will rely on runtime HTTP calls. No downloads or package installs are requested.
Credentials
Only one credential (NEMO_TOKEN) is declared and that is coherent with calling the nemo API. Incoherence: SKILL.md includes steps to auto-generate an anonymous token if NEMO_TOKEN is not set, so requiring NEMO_TOKEN in metadata is misleading. The frontmatter also lists a config path (see purpose_capability) that wasn't declared elsewhere.
Persistence & Privilege
always:false (normal). The skill instructs storing a session_id for subsequent requests but does not require persistent installation. The presence of a config path in the frontmatter raises the possibility of writing to ~/.config/nemovideo/, but the SKILL registry shows no explicit config path requirement — this is ambiguous and worth confirming.
What to consider before installing
This is an instruction-only skill that uploads your video files to https://mega-api-prod.nemovideo.ai for cloud editing and uses a single token (NEMO_TOKEN). Before installing: (1) verify who operates 'nemovideo' (no homepage/owner is provided); (2) confirm data retention, privacy, and whether uploaded files or generated tokens/session IDs are stored on disk (the SKILL.md hints at a config path but the registry doesn't); (3) prefer setting your own NEMO_TOKEN rather than relying on automatic anonymous-token creation if you need auditability; and (4) avoid sending highly sensitive footage until you confirm the service's terms and security practices. The inconsistencies in metadata lower trust — ask the publisher for provenance and clarify where session data is persisted.

Like a lobster shell, security has layers — review code before you run it.

latestvk970ysv0pww8svg0zya38tj9mh84kqnx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments