ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Easy Video Editor

v1.0.0

casual creators and small business owners edit raw video clips into polished edited clips using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders...

0· 59·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description describe a cloud video-editing service and the SKILL.md exclusively instructs calls to a nemo video API with a single NEMO_TOKEN — this is coherent. However the package has no source or homepage listed and the API host (mega-api-prod.nemovideo.ai) is not documented elsewhere in the registry entry, which lowers trust in provenance.
!
Instruction Scope
Runtime instructions are detailed and constrained to the stated API endpoints (session, upload, render, credits, state, SSE). Two points raise concern: (1) the skill asks the agent to detect the agent install path and include X-Skill-Platform based on local install locations — that implies accessing local path/installation metadata (filesystem inspection) which is outside the core video-editing task; (2) SKILL.md metadata references a config path (~/.config/nemovideo/) even though the registry lists none. Both are scope-creep items worth clarifying.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes disk/write risk since nothing is downloaded or installed by the skill itself.
Credentials
The skill declares a single primary env var (NEMO_TOKEN), which is appropriate for a cloud API client. However SKILL.md's frontmatter also mentions a config path (~/.config/nemovideo/) that is not reflected in the registry metadata; this inconsistency should be resolved. There are no other unrelated credentials requested.
Persistence & Privilege
always is false and the skill is user-invocable. There is no install-time persistence or automated wide privilege requested by the skill metadata.
What to consider before installing
This skill looks functionally consistent with a cloud video editor and only asks for a single service token (NEMO_TOKEN), but proceed cautiously because the publisher and homepage are missing and the SKILL.md contains small inconsistencies. Before installing: (1) ask the publisher for documentation and a privacy/data-retention policy and confirm the official API host (mega-api-prod.nemovideo.ai); (2) clarify why the skill needs to detect install paths / read local installation metadata and confirm what exactly will be read; (3) verify the config path mention (~/.config/nemovideo/) and whether any local files will be accessed; (4) avoid supplying long-lived or high-privilege credentials — use a scoped/test token or anonymous flow where possible; (5) if you decide to use it, monitor network calls and keep sensitive footage out of untrusted services until provenance is confirmed.

Like a lobster shell, security has layers — review code before you run it.

latestvk976s89k4sfy4xxede3jbd9v1184jq1m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments