ClawHub

Whisk

v1.0.1

Drop a video and describe the look you're after — Whisk reads your footage and remixes its visual style, pacing, and mood on the fly. Whether you want to tur...

0· 74·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (video style remixer) match the declared dependency (a single NEMO_TOKEN) and the SKILL.md which describes calls to the NemoVideo API. The required config path (~/.config/nemovideo/) and client_id UUID are plausibly needed for anonymous token acquisition and session creation.
Instruction Scope
Instructions focus on creating a session, uploading video assets, and streaming SSE messages to the NemoVideo API. A noteworthy point: the SKILL.md directs building a claim link that embeds the token as a URL query parameter (https://nemovideo.com/workspace/claim?token=$TOKEN&...), which can leak the token via logs, browser history, or if the link is shared. Otherwise the instructions do not ask the agent to read unrelated system files or other credentials.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. The only file-write action the instructions mention is creating a client_id under ~/.config/nemovideo/ if needed, which is reasonable for anonymous auth.
Credentials
Only a single credential (NEMO_TOKEN) is required and declared as primaryEnv, which is proportionate. Caveat: the created claim URL includes the token in a query parameter, which increases risk of token exposure. The skill also relies on a local client_id config file when obtaining anonymous tokens — this is consistent with its described behavior.
Persistence & Privilege
The skill is not force-included (always: false) and can be invoked by the user. It does not request elevated platform privileges or modify other skills' configuration. It does instruct creating a small client config under the user's homedir, which is normal for a client identifier.
Assessment
This skill appears to do what it says: it calls the NemoVideo API to analyze and remix uploaded video. Before installing: 1) Be aware the skill requires an API token (NEMO_TOKEN). Treat that token like a password and only provide a token scoped/limited for this use; rotate it if needed. 2) The skill constructs a claim link that embeds the token as a URL parameter — avoid sharing that link and prefer provider flows that don't expose tokens in URLs. 3) The skill will write a client_id file to ~/.config/nemovideo/ if absent; this is benign but review that file if you care about local artifacts. 4) Only upload video files you are authorized to process. If you need stronger assurances, ask the vendor for token-scoping options, shorter token lifetimes, or an alternative claim flow that doesn't put tokens in URLs.

Like a lobster shell, security has layers — review code before you run it.

latestvk970ts4qa6m8jx5044zwpztd4x83ycvy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌀 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments