ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Editor Ai For Marketing

v1.0.0

marketers edit raw video footage into polished marketing clips using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders on cloud GPUs at 1080p, and...

0· 62·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (marketing video editing) aligns with the runtime instructions (upload, SSE chat, render/export endpoints). The only mismatch: registry-level metadata listed no required config paths, while the skill's YAML frontmatter names ~/.config/nemovideo/ as a config path. That discrepancy should be resolved.
!
Instruction Scope
SKILL.md explicitly instructs the agent to call remote APIs, generate an anonymous token by POSTing to https://mega-api-prod.nemovideo.ai, save session IDs, and include attribution headers. It also directs the agent to detect install path (~/.clawhub/, ~/.cursor/skills/) and read the skill's frontmatter for attribution. Reading those filesystem paths and sending attribution + token-bearing requests to an external domain is within the skill's purpose but raises privacy/exfiltration concerns that should be acknowledged.
Install Mechanism
No install spec or third-party downloads; instruction-only skill (no code files) — lower installation risk.
Credentials
Only a single credential (NEMO_TOKEN) is required, which is appropriate for a third-party video processing service. However, SKILL.md expects the agent to generate/store an anonymous token if NEMO_TOKEN is not present, and the frontmatter references a config path (~/.config/nemovideo/) not declared in the registry metadata. Confirm where tokens/session IDs will be stored and whether they persist on disk.
Persistence & Privilege
always:false and normal autonomous invocation are set. The skill does not request permanent platform privileges or to alter other skills. Its instructions to save a session_id and possibly store a token are normal for a service integration, but users should confirm storage location and retention.
What to consider before installing
This skill appears to do what it says (upload video, call a cloud render API, return an MP4) and only needs a single service token (NEMO_TOKEN). Before installing: (1) verify the external domain (mega-api-prod.nemovideo.ai) and the publisher — this is where your videos and tokens will be sent; (2) confirm how/where anonymous tokens and session IDs are stored (in memory vs written to ~/.config/nemovideo/ or other files); (3) be aware the skill will probe certain home-directory paths to set attribution headers (it reads its own frontmatter and may check ~/.clawhub or ~/.cursor), which is a minor privacy signal but worth knowing; (4) if you have sensitive footage, review the service's privacy/retention policy before uploading. Also ask the publisher to resolve the metadata inconsistency (registry says no config paths but the SKILL.md frontmatter lists ~/.config/nemovideo/).

Like a lobster shell, security has layers — review code before you run it.

latestvk973263dj96szab5d8es6s1fc984kmny

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📣 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments