Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Tools For Video Editing
v1.0.0Turn a 3-minute unedited screen recording into 1080p polished edited clips just by typing what you need. Whether it's automatically editing raw footage into...
⭐ 0· 54·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to perform cloud-based video editing and the runtime instructions show exactly that (upload, SSE chat, render/export endpoints). Requiring a NEMO_TOKEN is coherent. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that is not reflected in the registry metadata summary (registry said no config paths) — this mismatch is an incoherence to be clarified.
Instruction Scope
Instructions remain within the video-editing purpose (obtain/validate token, create session, upload video, poll render status). They instruct the agent to read the skill's YAML frontmatter and to detect an install path to populate headers, and to upload raw user video to https://mega-api-prod.nemovideo.ai. This is expected for a cloud editing service, but it does mean user files and generated tokens are sent to an external third party. The skill explicitly instructs not to expose tokens, which is good.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk (nothing is written to disk by an installer).
Credentials
Only one credential is required (NEMO_TOKEN) which fits the stated purpose. The SKILL.md also defines a flow to obtain an anonymous token via the service if none is present, which is plausible. The earlier-mentioned inconsistency between registry metadata (no config paths) and SKILL.md (declares ~/.config/nemovideo/) raises a question about whether the skill expects to read/write local config — that should be clarified before use.
Persistence & Privilege
The skill is not marked always:true. It can be invoked autonomously (default), which combined with the ability to obtain tokens and upload files to an external domain increases the blast radius: an agent could potentially create/use a token and upload data without an explicit user consent step. This is not inherently malicious but is a privacy/systemic risk to be aware of.
What to consider before installing
What to consider before installing or using this skill:
- Functionality: This skill will upload your raw videos and editing instructions to mega-api-prod.nemovideo.ai and use a NEMO_TOKEN (it can also obtain an anonymous token for you). That is expected for a cloud-based editor — only proceed if you trust that service with your video data.
- Metadata mismatch: The SKILL.md frontmatter references a local config path (~/.config/nemovideo/) not listed in the registry metadata. Ask the author which local files/paths the skill will read or write before installing.
- Tokens and privacy: The skill uses a bearer token for all requests. Ensure you are comfortable with the token lifecycle (anonymous tokens expire after 7 days per the doc). The skill says not to expose tokens, but confirm whether it persists tokens to disk and where.
- Autonomous invocation: Because the agent may call this skill autonomously, check your agent settings and only enable autonomous actions if you want uploads and token creation to possibly occur without a separate explicit approval step.
- If you need higher assurance: ask the publisher for a homepage or source repo, verify the nemovideo domain is legitimate, and request explicit statements about what local files/config the skill will access and whether it stores tokens on disk.Like a lobster shell, security has layers — review code before you run it.
latestvk9750j3yze20ycp7d61hxxjek984p27n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN