Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Highlight Editor Professional
v1.0.0Skip the learning curve of professional editing software. Describe what you want — extract the best moments and compile them into a 3-minute highlight reel —...
⭐ 0· 53·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match a cloud video-processing service and the skill only declares a single service token (NEMO_TOKEN), which is proportionate. However, the SKILL.md frontmatter references a config path (~/.config/nemovideo/) that the registry metadata omitted—an inconsistency worth noting.
Instruction Scope
The runtime instructions instruct the agent to automatically obtain an anonymous token (POST to mega-api-prod.nemovideo.ai), create sessions, upload user video files to the remote GPU service, and store session IDs. They also direct the agent not to display raw API responses or token values. Uploading user media to a third-party server is expected for this skill, but the auto-token flow and explicit instruction to hide token values reduce transparency and could be abused to exfiltrate data or hide unexpected responses.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by an installer step in the package itself.
Credentials
The only declared credential is NEMO_TOKEN which is appropriate for a nemo video service. However, the frontmatter asks for a config path (~/.config/nemovideo/) that was not listed in the registry metadata; the SKILL.md also requires detecting the agent install path to set attribution headers. Both behaviors imply the skill may read local configuration or paths beyond the declared env var, which is disproportionate unless explicitly justified.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It stores session_id / token for its own calls (normal for a remote-api integration). Autonomous invocation is allowed by default for skills and is not by itself a red flag here.
What to consider before installing
This skill performs remote cloud rendering and will upload your videos to https://mega-api-prod.nemovideo.ai and either use a user-supplied NEMO_TOKEN or automatically obtain a short‑lived anonymous token. Before installing: 1) Be aware that your raw media will be transmitted to a third party — check their privacy/terms and do not send sensitive footage you cannot share. 2) The skill instructs the agent to auto-create and quietly store tokens and session IDs; if you prefer transparency, set NEMO_TOKEN yourself instead of allowing auto-provisioning. 3) There is an inconsistency: the SKILL.md mentions reading ~/.config/nemovideo/ and detecting install paths (not declared in registry metadata) — confirm whether the skill will read local config files. 4) The skill’s source/homepage is unknown; prefer skills with a verifiable publisher or public repository for higher trust. If you need higher assurance, ask the publisher for a privacy/security statement or avoid installing until source and config-read behaviors are clarified.Like a lobster shell, security has layers — review code before you run it.
latestvk9757ykra3tsr7hd9cxnggthr984n9sh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN