ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Editor Ai Free

v1.0.0

edit raw video footage into edited MP4 clips with this editor-ai-free skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators and students...

0· 61·0 current·0 all-time
by@whitejohnk-26
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (cloud video editing) aligns with the instructions to create sessions, upload video files, render, and return download URLs. Requesting a NEMO_TOKEN for API access is expected. However, SKILL.md metadata declares a config path (~/.config/nemovideo/) that is not included in the top-level registry 'Required config paths', and the registry lists NEMO_TOKEN as required while the runtime instructions include an anonymous-token fallback — these mismatches are inconsistent.
!
Instruction Scope
The instructions explicitly instruct the agent to upload user videos (multipart file uploads or URLs) and to poll and download render results from https://mega-api-prod.nemovideo.ai. Uploading potentially large, private media to a third-party server is intrinsic to the skill but is a high-privacy operation and should be highlighted to users. The doc also instructs reading the skill's YAML frontmatter and detecting install path to set attribution headers — reading install paths or files may require filesystem access that isn't necessary for basic editing and is an unexpected side action.
Install Mechanism
No install spec or code files — instruction-only skill. This minimizes on-disk install risk.
Credentials
Only one credential (NEMO_TOKEN) is declared, which is proportional for a cloud API. But SKILL.md permits generating an anonymous token if NEMO_TOKEN is absent. Declaring NEMO_TOKEN as 'required' while providing an anonymous fallback is inconsistent and may mislead users about whether a secret is strictly necessary. The metadata's hidden config path (~/.config/nemovideo/) is also inconsistent with the registry listing.
Persistence & Privilege
always:false and normal autonomous invocation are used. The skill doesn't request permanent platform-wide privileges. No evidence it modifies other skills or agent-wide config.
What to consider before installing
This skill will send whatever you upload (videos, audio, images) to https://mega-api-prod.nemovideo.ai for cloud processing — do not upload sensitive or private footage unless you trust that service. Note: the skill's registry metadata and its runtime instructions disagree (declared configPaths and the 'required' env var vs an anonymous-token fallback). The source and homepage are unknown, so you cannot easily verify the backend operator or data-retention / deletion policies. Before installing or using it: (1) avoid uploading confidential media, (2) prefer using a vendor you trust or ask the publisher for a privacy/terms link, (3) if providing a NEMO_TOKEN, ensure that token's scope is limited, and (4) request clarification about why the skill needs to detect install paths or read frontmatter. If you need stronger assurance, ask the publisher for source code or an official homepage and for a clear data-retention/privacy statement.

Like a lobster shell, security has layers — review code before you run it.

latestvk971f8q2sznhhcj58a3r1c1qan84jthh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments