Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

For Video Free

v1.0.0

Turn a 2-minute MP4 recorded on a smartphone into 1080p edited MP4 videos just by typing what you need. Whether it's editing and exporting videos at no cost...

0· 49·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description describe cloud video editing and the skill only requests a single service token (NEMO_TOKEN) and endpoints that map to that purpose. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md instructs the agent to acquire/use NEMO_TOKEN, create sessions, upload user video files, stream SSE responses, and poll render status — all consistent with cloud video editing. Concerns: the SKILL.md is truncated in the provided copy, and the frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata indicated no required config paths — a small inconsistency. The instructions will cause user media to be uploaded to an external domain (mega-api-prod.nemovideo.ai), which is expected for this capability but is a privacy consideration.
Install Mechanism
No install spec or code files (instruction-only). This reduces risk of arbitrary code being written/executed on the host. Network calls to the external API are the primary runtime effect.
Credentials
Only NEMO_TOKEN is required (declared as primaryEnv). The skill also documents an anonymous token acquisition flow (UUID → anonymous-token endpoint), which is reasonable. Ensure you understand where tokens/sessions are stored (in-memory vs persisted). No other secrets or unrelated env vars requested.
Persistence & Privilege
always is false and there are no requests to modify other skills or system-wide settings. The skill will create session objects on the external service but does not request persistent host privileges.
Scan Findings in Context
[no_regex_findings] expected: The scanner had no code files to analyze (instruction-only SKILL.md). Absence of findings is not evidence of safety; the SKILL.md is the main artifact to review.
What to consider before installing
This skill appears to do what it says (upload your videos to a cloud renderer and return edited MP4s) and only needs a NEMO_TOKEN. However: - The skill's source/homepage is unknown and the SKILL.md in the bundle is truncated, so provenance and completeness are unclear. That raises moderate risk. - Using the skill will upload your videos to https://mega-api-prod.nemovideo.ai. Do not send sensitive or private footage unless you trust that domain and its privacy policy. - The skill can generate an anonymous token for you; confirm whether tokens or session IDs are stored persistently by the agent or cleared after use. If tokens are persisted, treat them like credentials. - The frontmatter mentions a config path (~/.config/nemovideo/) even though the registry metadata did not declare required config paths — ask the publisher to clarify what local files (if any) the skill will read or write. - Because the package has no homepage or known owner, consider verifying the service domain and vendor independently (search for nemovideo, check a privacy policy and company info) before using. If you need stronger assurance, ask the skill author for: a full untruncated SKILL.md, a privacy/terms URL for the API backend, and clarification on token/session storage and any local file access. If you are uncomfortable uploading content to an unknown third-party cloud, do not install or use this skill.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN
latestvk97e2cd5q9btn0rtpkdbtenqe9856j0y
49downloads
0stars
1versions
Updated 1d ago
v1.0.0
MIT-0

Getting Started

Share your video clips and I'll get started on free AI video editing. Or just tell me what you're thinking.

Try saying:

  • "edit my video clips"
  • "export 1080p MP4"
  • "trim, add transitions, and export this"

Automatic Setup

On first interaction, connect to the processing API before doing anything else. Show a brief status like "Setting things up...".

Token: If NEMO_TOKEN environment variable is already set, use it and skip to Session below.

Free token: Generate a UUID as client identifier, then POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token with header X-Client-Id: <uuid>. The response field data.token becomes your NEMO_TOKEN (100 credits, 7-day expiry).

Session: POST to https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent with Bearer auth and body {"task_name":"project"}. Save session_id from the response.

Confirm to the user you're connected and ready. Don't print tokens or raw JSON.

For Video Free — Edit and Export Videos Free

Drop your video clips in the chat and tell me what you need. I'll handle the free AI video editing on cloud GPUs — you don't need anything installed locally.

Here's a typical use: you send a a 2-minute MP4 recorded on a smartphone, ask for trim, add transitions, and export this video for free, and about 30-60 seconds later you've got a MP4 file ready to download. The whole thing runs at 1080p by default.

One thing worth knowing — shorter clips under 60 seconds process fastest with no quality loss.

Matching Input to Actions

User prompts referencing for video free, aspect ratio, text overlays, or audio tracks get routed to the corresponding action via keyword and intent classification.

User says...ActionSkip SSE?
"export" / "导出" / "download" / "send me the video"→ §3.5 Export
"credits" / "积分" / "balance" / "余额"→ §3.3 Credits
"status" / "状态" / "show tracks"→ §3.4 State
"upload" / "上传" / user sends file→ §3.2 Upload
Everything else (generate, edit, add BGM…)→ §3.1 SSE

Cloud Render Pipeline Details

Each export job queues on a cloud GPU node that composites video layers, applies platform-spec compression (H.264, up to 1080x1920), and returns a download URL within 30-90 seconds. The session token carries render job IDs, so closing the tab before completion orphans the job.

All requests must include: Authorization: Bearer <NEMO_TOKEN>, X-Skill-Source, X-Skill-Version, X-Skill-Platform. Missing attribution headers will cause export to fail with 402.

Three attribution headers are required on every request and must match this file's frontmatter:

HeaderValue
X-Skill-Sourcefor-video-free
X-Skill-Versionfrontmatter version
X-Skill-Platformauto-detect: clawhub / cursor / unknown from install path

API base: https://mega-api-prod.nemovideo.ai

Create session: POST /api/tasks/me/with-session/nemo_agent — body {"task_name":"project","language":"<lang>"} — returns task_id, session_id.

Send message (SSE): POST /run_sse — body {"app_name":"nemo_agent","user_id":"me","session_id":"<sid>","new_message":{"parts":[{"text":"<msg>"}]}} with Accept: text/event-stream. Max timeout: 15 minutes.

Upload: POST /api/upload-video/nemo_agent/me/<sid> — file: multipart -F "files=@/path", or URL: {"urls":["<url>"],"source_type":"url"}

Credits: GET /api/credits/balance/simple — returns available, frozen, total

Session state: GET /api/state/nemo_agent/me/<sid>/latest — key fields: data.state.draft, data.state.video_infos, data.state.generated_media

Export (free, no credits): POST /api/render/proxy/lambda — body {"id":"render_<ts>","sessionId":"<sid>","draft":<json>,"output":{"format":"mp4","quality":"high"}}. Poll GET /api/render/proxy/lambda/<id> every 30s until status = completed. Download URL at output.url.

Supported formats: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.

Error Codes

  • 0 — success, continue normally
  • 1001 — token expired or invalid; re-acquire via /api/auth/anonymous-token
  • 1002 — session not found; create a new one
  • 2001 — out of credits; anonymous users get a registration link with ?bind=<id>, registered users top up
  • 4001 — unsupported file type; show accepted formats
  • 4002 — file too large; suggest compressing or trimming
  • 400 — missing X-Client-Id; generate one and retry
  • 402 — free plan export blocked; not a credit issue, subscription tier
  • 429 — rate limited; wait 30s and retry once

Translating GUI Instructions

The backend responds as if there's a visual interface. Map its instructions to API calls:

  • "click" or "点击" → execute the action via the relevant endpoint
  • "open" or "打开" → query session state to get the data
  • "drag/drop" or "拖拽" → send the edit command through SSE
  • "preview in timeline" → show a text summary of current tracks
  • "Export" or "导出" → run the export workflow

Reading the SSE Stream

Text events go straight to the user (after GUI translation). Tool calls stay internal. Heartbeats and empty data: lines mean the backend is still working — show "⏳ Still working..." every 2 minutes.

About 30% of edit operations close the stream without any text. When that happens, poll /api/state to confirm the timeline changed, then tell the user what was updated.

Draft JSON uses short keys: t for tracks, tt for track type (0=video, 1=audio, 7=text), sg for segments, d for duration in ms, m for metadata.

Example timeline summary:

Timeline (3 tracks): 1. Video: city timelapse (0-10s) 2. BGM: Lo-fi (0-10s, 35%) 3. Title: "Urban Dreams" (0-3s)

Common Workflows

Quick edit: Upload → "trim, add transitions, and export this video for free" → Download MP4. Takes 30-60 seconds for a 30-second clip.

Batch style: Upload multiple files in one session. Process them one by one with different instructions. Each gets its own render.

Iterative: Start with a rough cut, preview the result, then refine. The session keeps your timeline state so you can keep tweaking.

Tips and Tricks

The backend processes faster when you're specific. Instead of "make it look better", try "trim, add transitions, and export this video for free" — concrete instructions get better results.

Max file size is 500MB. Stick to MP4, MOV, AVI, WebM for the smoothest experience.

Export as MP4 for widest compatibility across all platforms.

Comments

Loading comments...