ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Editor Ai Korean

v1.0.0

Cloud-based editor-ai-korean tool that handles adding Korean subtitles and edits to videos. Upload MP4, MOV, AVI, WebM files (up to 500MB), describe what you...

0· 57·0 current·0 all-time
by@whitejohnk-26
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is presented as a cloud video editor and its declared primary credential (NEMO_TOKEN) and the described API calls are coherent with that purpose. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that the registry metadata did not declare — it's unclear why local config access is required for a cloud service.
Instruction Scope
Instructions are network-heavy (create sessions, upload files, call render endpoints) which is expected. The runtime guidance also asks the agent to read the skill's YAML frontmatter and detect install paths (e.g., ~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform — that requires probing the user's home filesystem and is not strictly required to perform cloud editing. The skill also recommends keeping technical details out of chat and mandates attribution headers on every request. No instructions ask the agent to read arbitrary unrelated files, but the install-path/config-path checks are unnecessary scope creep and should be verified.
Install Mechanism
No install spec or code files are present (instruction-only), so nothing is written to disk by an installer. This is the lowest install risk.
Credentials
Only NEMO_TOKEN is declared as required, which fits a cloud API service. The SKILL.md also documents a fallback anonymous-token flow (POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token) so the skill can operate without a pre-provided token. The unexpected metadata reference to ~/.config/nemovideo/ is the main proportionality concern: a purely cloud service typically doesn't need local config access.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does use session tokens for job management, which is normal for this kind of service. Autonomous invocation is allowed by default but not combined with other high-risk factors here.
What to consider before installing
This skill largely does what it says (cloud-based Korean subtitle/editing) and needs a NEMO_TOKEN or will obtain a temporary anonymous token from https://mega-api-prod.nemovideo.ai. Before installing or using it: 1) Verify the backend domain (mega-api-prod.nemovideo.ai) and its privacy policy — uploaded videos and audio will be sent to that service. 2) Prefer using a trusted account token rather than relying on anonymous flows for sensitive media. 3) Ask the publisher or maintainer why the skill metadata references a local config path (~/.config/nemovideo/) and why the agent should check install paths — if the skill will probe or read local config, get explicit details about what is read and why. 4) If you need stronger assurance, request the skill's source code or a homepage and confirm there are no instructions that read or transmit files outside the declared upload flow. These clarifications would raise confidence to 'high' and could make the skill appear benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk974hfm5ea3gwm2rtbxj72psnn84kerz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🇰🇷 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments