Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Maker Microsoft Free Download
v1.0.0create video clips into edited MP4 videos with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. Windows users and casual creators use it for cre...
⭐ 0· 34·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md implements a client for the nemo video API (mega-api-prod.nemovideo.ai), which matches the described video-editing capability. However the skill name 'Video Maker Microsoft Free Download' implies Microsoft branding or a download, which is inconsistent with the service endpoints and the instruction-only cloud-render workflow. The mismatch (branding vs actual backend) is deceptive and worth flagging.
Instruction Scope
Instructions instruct the agent to check for NEMO_TOKEN, otherwise obtain an anonymous token by POSTing to the nemo API and use it for all operations; create sessions, upload user files (multipart or by URL), run SSE streams, poll renders, and include attribution headers. The workflow is narrowly focused on video editing, but it also instructs detecting local install paths (~/.clawhub, ~/.cursor/skills/) and references a config path (~/.config/nemovideo/). Reading install/config paths is outside what a simple 'upload and render' description strictly requires and increases the skill's ability to fingerprint the host. Also the skill will upload user-supplied media to a third-party cloud service — a privacy concern the user should be aware of.
Install Mechanism
No install spec and no code files — instruction-only. This is low-risk from the install mechanism perspective because nothing is written to disk by an install step. Runtime network calls are the primary surface.
Credentials
Only one required env var (NEMO_TOKEN) and the SKILL.md includes a path for optional local config. Requesting a service-specific token is proportionate. However the metadata also lists a local config path (~/.config/nemovideo/) and the instructions include host-path detection; those accesses should be explicitly justified to the user because they broaden what the skill can observe on the host. Also the skill will create or fetch an anonymous token if none exist — this is expected but means the skill will make network requests on first run.
Persistence & Privilege
always is false and the skill does not request elevated or permanent platform presence. It stores session_id in-memory for operations per the instructions but does not request system-wide configuration changes. Autonomous invocation is allowed by default (normal).
What to consider before installing
This skill will upload your videos to an external service (mega-api-prod.nemovideo.ai) and use/obtain a NEMO_TOKEN to run cloud rendering. Before installing, confirm: 1) the service domain is trusted and its privacy policy/terms allow uploading your media (sensitive videos could be exposed); 2) you understand that the skill's name mentions Microsoft but the backend is 'nemovideo' — this naming mismatch is deceptive; 3) you are comfortable the skill may inspect certain local paths (~/.config/nemovideo/, ~/.clawhub, ~/.cursor/skills/) for attribution — if not, avoid or sandbox the skill. If you proceed, avoid placing broader credentials in NEMO_TOKEN, prefer temporary/anonymous tokens, and test with non-sensitive files first. If you need higher assurance, ask the publisher/source for provenance (homepage, maintainer) or request an official integration instead.Like a lobster shell, security has layers — review code before you run it.
latestvk970ydtda3ybkw1h1a30ggmars84rss7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN