ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Editor De Video Gratis

v1.0.0

edit video clips into edited video clips with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators and students use it for editing...

0· 19·0 current·0 all-time
by@vynbosserman65
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to do cloud video editing and requires a single credential (NEMO_TOKEN) and network calls to nemovideo.ai, which is consistent with its purpose. However, the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this discrepancy is unexplained and could cause the agent to look for local credentials/config unexpectedly. Also the package has no source or homepage published, reducing provenance.
!
Instruction Scope
The runtime instructions direct the agent to upload user-supplied video files (up to 500MB) to a third-party API and to include authorization and custom attribution headers. That is expected for a cloud editor. The instructions also instruct generating an anonymous token if no NEMO_TOKEN is present (so the skill can operate without explicit user-supplied credentials). The unexplained frontmatter configPath suggests the agent might search a local config file for tokens, which is beyond the explicit upload/authorize flow and could expose local credentials/config — this mismatch is concerning.
Install Mechanism
No install spec or code files are present (instruction-only), so nothing is written to disk or downloaded during install. This reduces install-time risk.
Credentials
Only one environment variable (NEMO_TOKEN) is declared as required and is the primary credential, which is proportionate for a hosted service. However, the SKILL.md metadata also references a config path that could be used to obtain tokens from disk — that increases the effective scope of credential access and should be clarified.
Persistence & Privilege
The skill is not marked always:true and has no install-time persistence. Autonomous invocation is allowed (the platform default), which is expected for skills; that is not by itself a red flag here.
What to consider before installing
This skill appears to do what it says — upload videos to a cloud rendering API — but you should verify a few things before installing or using it with sensitive footage: 1) Provenance: there is no homepage or source repository listed; ask the publisher for a link or source code to review. 2) Privacy/retention: ask how uploaded videos are stored, who can access them, and how long they are retained. 3) Token handling: the skill will accept an environment NEMO_TOKEN or obtain an anonymous token automatically; prefer supplying a scoped token you control if you must use it, and confirm whether the skill will read ~/.config/nemovideo/ (the SKILL.md frontmatter mentions it but the registry does not). 4) Attribution headers: the skill requires custom headers — ensure these values don't leak sensitive environment details. If you cannot get satisfactory answers about provenance and data retention, avoid installing or uploading private/video-sensitive content.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a22j2ee8tgdvjqt9cbf55g5851gc6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments