ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Meta Ai

v1.0.0

content creators enhance video clips into AI-edited videos using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders on cloud GPUs at 1080p, and ret...

0· 21·0 current·0 all-time
by@vynbosserman65
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (AI-assisted video editing) match the instructions (upload, session, render, export). Requiring a single service token (NEMO_TOKEN) is appropriate. Minor inconsistency: registry metadata at the top stated no required config paths, but the SKILL.md frontmatter and runtime instructions reference ~/.config/nemovideo/ and reading the YAML frontmatter for X-Skill-Source/Version/Platform.
Instruction Scope
Runtime instructions stay within the editing workflow: create/refresh an anonymous token if NEMO_TOKEN is absent, create sessions, upload files, stream SSE edits, poll renders, and return download URLs. They also instruct reading the skill's YAML frontmatter and detecting install path (~/.clawhub or ~/.cursor/skills) to set an X-Skill-Platform header — reading those paths is not strictly required for core editing but is plausible for attribution. Instructions explicitly tell the agent not to display raw API responses or token values, and to store session_id/token for subsequent calls.
Install Mechanism
No install spec and no code files (instruction-only). This is the lowest-risk install surface — nothing is downloaded or written by the skill itself per the manifest.
Credentials
Only one credential is declared (NEMO_TOKEN), which is proportionate to a backend API. The skill also implements an anonymous-token flow if the env var is missing (generates a client UUID and posts to the service). The earlier registry metadata omission of config paths vs the frontmatter declaration is inconsistent but not necessarily malicious.
Persistence & Privilege
always is false and the skill does not request system-wide changes or additional privileges. Autonomous invocation is allowed by default but is not combined with broad or unrelated credential access.
Assessment
This skill appears to do what it says (cloud video enhancement) and only needs a single service token. However: 1) the package has no homepage or verifiable source — verify the domain (mega-api-prod.nemovideo.ai) and the provider before sending sensitive video content; 2) the skill will auto-create and store an anonymous token if you don't set NEMO_TOKEN — if you prefer control, set your own NEMO_TOKEN or decline anonymous auth; 3) it may read install/config paths (~/.config/nemovideo/, ~/.clawhub/, ~/.cursor/skills/) for attribution headers — consider whether you want the agent to access those paths; 4) because this skill uploads/processes video on a third‑party cloud, avoid sending videos with sensitive PII unless you trust the service. If you want higher assurance, ask the publisher for a homepage, privacy policy, and API provenance before using.

Like a lobster shell, security has layers — review code before you run it.

latestvk976apxde16k0js6kcdz79dhms84kwew

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤖 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments