ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Trimmer Online Free

v1.0.0

trim video clips into trimmed video clips with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators use it for cutting unwanted sec...

0· 48·0 current·0 all-time
by@whitejohnk-26
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name/description line up with the runtime instructions: it connects to a remote 'nemovideo' API, creates sessions, uploads video files, and requests exports. Requiring a single NEMO_TOKEN credential is proportionate. However, registry metadata said no config paths while the embedded SKILL.md frontmatter lists a config path (~/.config/nemovideo/), which is an inconsistency that should be clarified.
Instruction Scope
Instructions are focused on interacting with the nemovideo cloud API (auth, session creation, SSE, uploads, polling render status). They tell the agent to upload user files (multipart or URL) and to use an env token or request an anonymous token from the remote API. They also ask to auto-detect an 'install path' to set an X-Skill-Platform header, which may require reading the agent install environment. No broad file-reading or unrelated credential exfiltration is explicitly instructed, but file uploads and platform auto-detection are privacy-relevant and expected for this functionality.
Install Mechanism
No install specification and no code files (instruction-only). This minimizes installation risk because nothing is written to disk by an installer. Runtime network calls will happen per the SKILL.md.
Credentials
Only one declared secret (NEMO_TOKEN / primaryEnv) is requested, which fits a cloud API integration. The skill will also generate and use an anonymous token if none is provided, meaning it can operate without user-supplied credentials. The inconsistency between registry-level 'no config paths' and SKILL.md's metadata asking for ~/.config/nemovideo/ should be resolved — that path, if actually used, could expose local config data.
Persistence & Privilege
always:false and no install steps mean the skill does not request permanent, force-included presence or make persistent system changes. It will create short-lived sessions with the remote service, which is expected for the described workload.
What to consider before installing
This skill appears to do what it says (upload user video files to a nemovideo cloud API and return trimmed exports), but there are things to check before installing: 1) The package has no homepage or source repository — verify who runs mega-api-prod.nemovideo.ai and review their privacy/TOS. 2) Confirm the intended use of ~/.config/nemovideo/ (SKILL.md mentions it but registry metadata does not). 3) Understand token handling: if you don't provide NEMO_TOKEN the skill will obtain an anonymous token from the service; decide whether that is acceptable. 4) Only upload files you are comfortable sending to a third-party service. If you need higher assurance, ask the skill author for a repository, privacy policy, and clarity on the config path inconsistency before enabling.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c575r063vbee57jhw72thws84qe14

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✂️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments