ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Editing Ai Name

v1.0.0

Turn a 2-minute unedited screen recording into 1080p edited video clips just by typing what you need. Whether it's automatically editing raw footage into a p...

0· 37·0 current·0 all-time
by@vynbosserman65
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (cloud video editing) aligns with the API calls and upload workflow described in SKILL.md — requiring a NEMO_TOKEN and offering file uploads is expected. However, the registry metadata and the skill's frontmatter disagree: the registry reported no required config paths, but the SKILL.md frontmatter declares a config path (~/.config/nemovideo/). Also the skill declares NEMO_TOKEN as required yet documents an anonymous-token flow when NEMO_TOKEN is absent. These mismatches reduce confidence that the declared requirements are accurate.
Instruction Scope
Runtime instructions are focused on sessions, uploads, SSE streams, and export polling — all appropriate for an editing service. The skill instructs using local file paths for multipart uploads (e.g., -F "files=@/path"), which is expected for video uploads but means the agent will read user-provided files. It also instructs detecting an install path (e.g., checking ~/.clawhub/ or ~/.cursor/skills/) to set an attribution header, which implies probing certain filesystem locations not declared in registry metadata. No instructions request unrelated secrets or broad system data.
Install Mechanism
There is no install spec and no code files — this is instruction-only. That minimizes install-time risk because nothing is downloaded or written by an installer.
Credentials
Only NEMO_TOKEN is declared as the primary credential, which is appropriate for a third-party API. However, the skill provides an anonymous-token endpoint and flow if NEMO_TOKEN is not set, making the 'required' designation inconsistent. No additional unrelated credentials are requested.
Persistence & Privilege
always:false and no instructions to modify other skills or system-wide configs. The skill asks to save session_id for the session workflow (expected) but does not request persistent elevated privileges.
What to consider before installing
This skill appears to do what it says (upload video, run cloud edits, return a download). Before installing, consider: (1) The skill will upload your video to a third-party API (mega-api-prod.nemovideo.ai). Only upload content you’re comfortable sharing with that service. (2) The SKILL.md instructs the agent to read local file paths for uploads and to probe install paths (e.g., ~/.clawhub/, ~/.cursor/skills/). If you want to avoid any filesystem probing, do not grant the agent file access or decline to let it auto-detect install paths. (3) There are metadata inconsistencies: registry metadata claimed no config paths but the skill's frontmatter references ~/.config/nemovideo/; and NEMO_TOKEN is marked required even though an anonymous-token flow exists. These could be sloppy packaging or an oversight — ask the publisher to clarify the intended auth model and why the skill probes install paths. (4) Verify the API hostname and the service's privacy/security policy before sending sensitive videos. No static-scan findings were present, but absence of matches isn’t a guarantee of safety.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fr8xa41cr33wafmgxs41jmx84rgtj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments