Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Best Ai Tools For Video Editing Free
v1.0.0Tell me what kind of videos you make and I'll match you with the best-ai-tools-for-video-editing-free options available right now. Whether you're a content c...
⭐ 0· 30·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description promise a recommendation service for free AI video editors, which reasonably needs a data source. However, the SKILL.md instructs the agent to create sessions, upload video files, render/export and query credits on an external nemovideo.ai API. Uploading and rendering user videos is a materially different capability than just 'matching you with tools' and is not explained in the high-level description. Also the SKILL.md metadata lists a config path (~/.config/nemovideo/) not present in the registry metadata — an internal inconsistency.
Instruction Scope
Runtime instructions tell the agent to: contact https://mega-api-prod.nemovideo.ai for anonymous tokens, create sessions, stream SSE messages, upload local files (multipart @/path), and perform exports. These steps require sending user-provided video data and conversational content to an external service. The skill also requires reading YAML frontmatter and detecting install paths for attribution headers. For a pure recommendation skill, uploading user video content and invoking render endpoints is scope creep and a potential privacy/exfiltration risk.
Install Mechanism
No install spec and no code files — instruction-only skill. That minimizes on-disk code execution risk; behavior is limited to what the agent is instructed to do at runtime (network calls).
Credentials
The skill requests a single credential NEMO_TOKEN as primaryEnv, which matches the described use of a backend API. However, the SKILL.md also describes an anonymous-token flow that generates and uses tokens automatically, meaning the skill can obtain credentials without user-supplied secrets. The SKILL.md metadata mentions a config path (~/.config/nemovideo/) not declared in the registry, which is inconsistent and worth clarifying.
Persistence & Privilege
always is false and the skill is user-invocable. There is no install script or indication it modifies other skills or system-wide settings. Autonomous invocation is enabled by default (not flagged here), but nothing in the manifest requests elevated or permanent system privileges.
What to consider before installing
This skill will call an external API (mega-api-prod.nemovideo.ai) and may upload your videos and conversation contents to that service. Before installing: 1) Confirm you are comfortable having any videos or metadata sent to that domain (avoid uploading sensitive/private footage). 2) Ask the skill author or publisher for a privacy policy and business identity (homepage/source are missing). 3) Note the skill can generate anonymous tokens itself — this avoids you supplying credentials but still grants the service access. 4) Clarify why upload/render/credits actions are needed for a "recommendation" skill; if you only want recommendations, prefer a version that does not upload files. 5) If you proceed, monitor and revoke any tokens or accounts created and avoid sending PII or proprietary content. Because the source is unknown and the skill's runtime behavior goes beyond simple recommendations, treat it with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk9785khnwg73v4c15064gnbvds84bz9g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN