Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Tool For Video Editing
v1.0.0Get edited video clips ready to post, without touching a single slider. Upload your raw video footage (MP4, MOV, AVI, WebM, up to 500MB), say something like...
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the instructions: the skill uploads video files and uses a remote API to render edits. Requesting a single service token (NEMO_TOKEN) is proportionate to a cloud rendering service. Minor mismatch: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that the registry metadata said was not required.
Instruction Scope
Runtime instructions are focused on the remote API (session creation, SSE, uploads, exports) and on handling user-uploaded files — appropriate for an editing tool. Two points to note: (1) the skill instructs the agent to 'auto-detect' an install path to set X-Skill-Platform, which is odd for an instruction-only skill with no install spec; (2) the frontmatter mentions a config path although the SKILL.md does not clearly state when/if that path should be read. Both are scope-ambiguities worth clarifying.
Install Mechanism
No install spec and no code files — instruction-only. This is the lowest-risk install mechanism; nothing will be downloaded or written by an installer.
Credentials
The skill declares a single primary credential (NEMO_TOKEN), which is reasonable for the described cloud API. However, the SKILL.md also documents an anonymous-token flow that generates a token if none is present, making the 'required' env var claim inconsistent. The frontmatter's config path raises the possibility of reading user config files; the registry earlier reported no required config paths. These inconsistencies about when/why environment or config access is needed are disproportionate to the stated purpose and should be clarified.
Persistence & Privilege
The skill is not marked always:true and does not request elevated/system-wide persistence. It relies on remote sessions and short-lived tokens; no privilege escalation or permanent presence is requested by the manifest.
What to consider before installing
This skill appears to be a straightforward cloud video-editing frontend, but there are small mismatches you should clarify before installing: (1) Confirm why the manifest lists a config path (~/.config/nemovideo/) when the registry said none are required — will the skill read local config files? (2) The skill declares NEMO_TOKEN as required but also documents an anonymous-token flow; ask whether providing your own token gives elevated access vs anonymous tokens. (3) The skill will upload your raw video to https://mega-api-prod.nemovideo.ai — verify the service’s privacy policy and retention/deletion rules before uploading sensitive content. (4) Ask the publisher/source for provenance (the registry lists an opaque owner id and no homepage). If you proceed, test with non-sensitive, small videos first and avoid supplying unrelated credentials or secrets. If these questions are unanswered, treat the skill as higher risk and avoid installing it in sensitive environments.Like a lobster shell, security has layers — review code before you run it.
latestvk9742jwjeybrr2x7hqk7ga50kh84pf3c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN