ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Video Merger

v1.0.0

Turn three separate MP4 clips from a vacation into 1080p merged MP4 video just by typing what you need. Whether it's joining multiple video clips into a sing...

0· 38·0 current·0 all-time
by@whitejohnk-26
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description match the actions described in SKILL.md: uploading clips, creating a render session, and exporting a merged MP4 via the nemovideo.ai endpoints. Requesting a service token (NEMO_TOKEN) is appropriate for a cloud render service.
Instruction Scope
Instructions tell the agent to upload user-provided video files and interact with multiple backend endpoints (auth, session, upload, SSE, export). This is expected for cloud rendering but means user media is transmitted off-device; the skill also instructs the agent to auto-request an anonymous token if none is provided and to hide raw API responses/tokens from users, which is operationally reasonable but worth surfacing to users (it reduces transparency).
Install Mechanism
No install spec or code is present; the skill is instruction-only and performs network calls at runtime. This is the lowest install risk (nothing is written to disk by an installer).
Credentials
Only NEMO_TOKEN is required, which aligns with the declared primary credential. Minor inconsistency: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry 'Required config paths' field is empty — a metadata mismatch but not itself dangerous. The skill will also create a short-lived anonymous token if none is present.
Persistence & Privilege
always:false and no install behavior are appropriate. The skill asks to store a session_id for subsequent API calls (normal session state); it does not request system-wide configuration changes or other skills' credentials.
Assessment
This skill uploads your video files to an external service (mega-api-prod.nemovideo.ai) and uses or creates a short-lived NEMO_TOKEN (anonymous tokens have ~100 free credits and expire in ~7 days). Before installing or using it: confirm you are comfortable with your videos leaving your device, check the provider's privacy/retention policy, and prefer supplying your own token if you want control over access. Note the SKILL.md asks the agent to hide raw API responses/tokens from users and includes a config path in its frontmatter that isn't declared elsewhere — this metadata mismatch is not critical but worth confirming with the skill author. If you handle sensitive footage, test with non-sensitive files or use a disposable/limited token.

Like a lobster shell, security has layers — review code before you run it.

latestvk975rfn119rhp7ag0j64qeb1wx84q7cj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments