ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Japanese Editor Ai

v1.0.0

edit raw video footage into Japanese-edited videos with this japanese-editor-ai skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators tar...

0· 56·0 current·0 all-time
by@vynbosserman65
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (Japanese video editing, subtitles, cloud render) align with the runtime endpoints and actions in SKILL.md — the required NEMO_TOKEN and the listed API endpoints are consistent with a remote video-processing backend.
Instruction Scope
The SKILL.md contains concrete network calls, SSE handling, upload and render flows and instructs the agent how to interact with the remote API. It also instructs the agent to read the skill's YAML frontmatter and detect install paths to populate X-Skill-Platform — this requires the agent to read local paths (install path and the SKILL.md itself) but is limited in scope to attribution and header population.
Install Mechanism
This is an instruction-only skill with no install spec or downloaded artifacts, so nothing is written to disk by an installer. That is the lowest-risk install model.
!
Credentials
Registry metadata lists NEMO_TOKEN as a required primary credential, but SKILL.md explicitly describes a fallback flow to obtain an anonymous token if NEMO_TOKEN is not present. SKILL.md also references a config path (~/.config/nemovideo/) in its frontmatter metadata which is not reflected in the registry requirement summary — this mismatch is an inconsistency that could lead to the agent reading local config files unexpectedly. Otherwise only the single service token is requested, which is proportionate for a cloud API integration.
Persistence & Privilege
always is false and the skill does not request permanent elevated privileges. Autonomous invocation is allowed (default) but not combined with other high-risk flags.
What to consider before installing
This skill appears to be a wrapper for a cloud video-editing backend (nemovideo.ai) and mostly behaves as expected, but note two issues before installing: (1) the registry metadata says NEMO_TOKEN is required while the SKILL.md also explains how to auto-create an anonymous token — confirm whether you must set a persistent token or the skill will use anonymous tokens. (2) SKILL.md references reading local config/install paths (~/.config/nemovideo/, install path detection) to set attribution headers; confirm you are comfortable with the skill reading those paths. Also consider: the skill will upload your raw video footage to an external service — verify the service owner, privacy policy, and that you trust the domain (mega-api-prod.nemovideo.ai). Because the skill source/homepage is unknown, prefer not to inject long-lived or sensitive credentials into NEMO_TOKEN until you confirm the provider and review a trusted source repository or documentation. If you want more confidence, ask the publisher for a homepage/repo or request clarification on the token/config path behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk974b83qkv2mdh5v2w0te38wad84mgfg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎌 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments