ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Editing With Facebook

v1.0.0

Facebook content creators edit video clips into Facebook-ready videos using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders on cloud GPUs at 108...

0· 55·0 current·0 all-time
by@vynbosserman65
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description emphasize 'Facebook' optimization, but the runtime instructions never call Facebook APIs or request Facebook credentials — instead they use a third‑party service (mega-api-prod.nemovideo.ai). This can be reasonable if the skill only formats videos for Facebook, but the naming could mislead users into thinking it integrates with Facebook directly.
!
Instruction Scope
The SKILL.md instructs the agent to automatically connect to an external backend on first use, POST to endpoints to obtain an anonymous token and create sessions, upload user media files, and store session tokens. It also tells the agent to read the skill's own frontmatter and detect install paths to populate attribution headers. Automatic outbound network activity and file-system inspection (install path detection) on first open are notable privacy/behavioral concerns and should be made explicit to users.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — nothing is written to disk by an installer, which lowers risk. There is no package download or external installer invocation in the manifest.
Credentials
The only declared credential is NEMO_TOKEN, which aligns with using the nemovideo backend. However, the skill metadata in SKILL.md references a config path (~/.config/nemovideo/) while the registry metadata listed none — this mismatch is unexplained and suggests the skill may read/write a local config directory in practice.
Persistence & Privilege
The skill does not request 'always: true' and appears not to modify other skills or global settings. Still, it instructs storing session IDs and potentially the anonymous token for up to 7 days; where/how those tokens are persisted (in-memory vs on-disk under ~/.config/nemovideo/) is not specified, which affects long-term privilege/persistence.
What to consider before installing
This skill hands all uploads and processing to a third‑party service (mega-api-prod.nemovideo.ai) and will automatically obtain and use an anonymous NEMO_TOKEN if one isn't provided. Before installing: (1) Confirm you are comfortable uploading videos (and any contained PII) to that external service. (2) Ask where the anonymous token and session IDs are stored (in-memory only vs written to ~/.config/nemovideo/). (3) Require explicit user consent before any automatic outbound upload/connect on first open. (4) Note the skill name mentions Facebook but it does not talk to Facebook APIs — if you expected direct Facebook publishing, this skill does not do that. If you need stronger assurance, request the skill author/source, an explicit privacy policy for nemovideo.ai, and clarification about local config writes; without that, treat the skill as untrusted for sensitive content.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bayw6fbjx7cakb761qztxa984mq7w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📘 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments