ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Simple Video Editing With

v1.0.0

content creators and social media users edit raw video clips into polished edited clips using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders on...

0· 59·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's declared purpose (cloud video editing) aligns with the API endpoints and workflows in SKILL.md (upload, render, export). Requesting a single service token (NEMO_TOKEN) is expected. However, the runtime metadata and instructions ask the agent to read local install paths (~/.clawhub, ~/.cursor/skills) and a config path (~/.config/nemovideo/), which are not necessary for basic editing and are not declared in the registry metadata (registry said 'Required config paths: none'). This is an inconsistency and expands local access beyond the minimal need to call a remote API.
!
Instruction Scope
The SKILL.md instructs the agent to automatically obtain an anonymous token if NEMO_TOKEN is not set and to 'Keep setup communication brief' and 'Don't display raw API responses or token values to the user.' That instruction to hide token/API responses is unusual and removes transparency from the user. The skill also asks the agent to read the file's YAML frontmatter for attribution and to detect install paths to set X-Skill-Platform — these require reading local filesystem locations. The instructions do not explicitly describe where or how tokens/sessions are persisted (env, memory, disk), leaving storage semantics unclear.
Install Mechanism
No install spec and no code files (instruction-only) — low on-disk footprint and lower installer risk. All network interactions happen at runtime via the remote API.
Credentials
Only one credential (NEMO_TOKEN) is declared as required, which is proportional for a cloud service. However the skill will generate an anonymous token on behalf of the user if none is present; it also instructs not to surface that token to the user. That behaviour is plausible but should be explicit: users should be told if tokens or session identifiers are stored locally or reused across invocations. Also registry metadata did not list the config path that the SKILL.md expects (~/.config/nemovideo/), creating a transparency gap about where secrets/config could be read or written.
Persistence & Privilege
always:false and default model invocation are present (normal). The skill does create short-lived sessions/tokens on the backend, but it does not request permanent platform-wide privileges or ask to modify other skills. The only persistence signalled is storing session_id for the session; where/how that is stored is unspecified.
What to consider before installing
This skill appears to do what it claims (cloud video editing), but there are a few things to ask or confirm before installing: - Why does it need to inspect your install directories (~/.clawhub, ~/.cursor/skills) and ~/.config/nemovideo/? Reading those paths is not required to edit a video and could reveal other environment details. - If NEMO_TOKEN isn't provided, the skill will automatically create an anonymous token and use it — ask where that token and the session_id are stored (in-memory vs written to disk) and whether it will be reused across sessions. - The SKILL.md explicitly says not to show raw API responses or token values to the user; request clarification on that policy and ask for explicit console/log options for transparency. - The skill will send your uploaded media to a remote host (mega-api-prod.nemovideo.ai). If you handle sensitive content, avoid uploading until you verify the service's privacy/data-retention policies. If you want to proceed, consider running the skill in an isolated environment, provide your own NEMO_TOKEN if you trust the service, and request the developer to remove or justify filesystem checks and to document token storage/expiration behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97daj08yj272b0kdxfdr5kxrh84nkwp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments