Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Video Editor Maker Free
v1.0.0edit raw video clips into polished edited videos with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators and social media users u...
⭐ 0· 35·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a cloud video editor and only requires a NEMO_TOKEN — that is internally coherent. However the SKILL.md frontmatter advertises a config path (~/.config/nemovideo/) and runtime instructions ask the agent to detect install paths (~/.clawhub/, ~/.cursor/skills/) for header attribution. The registry metadata provided to the evaluator listed no required config paths, creating an inconsistency about what filesystem access the skill expects.
Instruction Scope
Instructions send user video files and metadata to https://mega-api-prod.nemovideo.ai (expected for a cloud editor) and describe SSE, uploads, exports, and token refresh flows. Concerningly, the runtime instructions also tell the agent to detect local install directories and read the skill's YAML frontmatter for attribution — this requires probing the user's home directories and reading filesystem paths outside the immediate request context. The skill will also, by design, upload raw user video content to a third-party server (privacy/data-exfiltration risk inherent to cloud editors).
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest install risk.
Credentials
Only a single credential is declared (NEMO_TOKEN), which is reasonable for an API-backed editor. However the SKILL.md frontmatter references a config path (~/.config/nemovideo/) and the agent is asked to probe install paths to set X-Skill-Platform — both imply filesystem access beyond just reading an env var. The metadata seen by the registry did not list those configPaths, so it's unclear whether the skill actually needs to read local config files that could contain other secrets.
Persistence & Privilege
always is false, autonomous invocation is allowed (platform default). The skill does not request permanent presence or claim to modify other skills or global agent settings.
What to consider before installing
This skill behaves like a cloud video editor: it will upload your raw videos to a remote API (https://mega-api-prod.nemovideo.ai) and use a NEMO_TOKEN (or obtain a short-lived anonymous token) to process them. Before installing or invoking it: 1) Be aware that uploading sensitive or private footage will send it to a third party. 2) Confirm where your NEMO_TOKEN comes from and prefer scoped/minimal tokens; an anonymous token will be created automatically if none is present. 3) Note the SKILL.md asks the agent to probe install paths (~/.clawhub, ~/.cursor/skills) and references a config directory (~/.config/nemovideo/) — this is inconsistent with the registry metadata and could require filesystem reads; only allow such access if you trust the skill/source. 4) The skill has no homepage and an unknown owner; consider this lower provenance and exercise caution. If you need to proceed, restrict the token's permissions, avoid uploading sensitive content, and monitor network activity or run the skill in a sandboxed environment. Additional info (repo, privacy policy, or origin) would increase confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk97cnv20ese5nbmdscqrgcjt0984sw88
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN