by 安全扫描
OpenClaw
可疑
medium confidence该技能表面上实现了云端AI视频编辑,但运行指令中涉及文件系统检查和不一致的凭证/配置元数据。安装前应审查其读取/传输的内容。
评估建议
该技能将上传视频到mega-api-prod.nemovideo.ai,使用NEMO_TOKEN进行授权。安装前:(1)确认是否接受将视频(及敏感内容)发送到外部服务,并审查其隐私/保留政策;(2)注意SKILL.md指令要求检测/读取主目录路径(~/.clawhub, ~/.cursor/skills, ~/.config/nemovideo/),请作者解释必要性或删除不必要的检查;(3)了解注册表声称NEMO_TOKEN是必需的,但技能可以自行获取匿名令牌——决定是否提供自己的令牌或使用临时令牌;(4)如果需要更严格的控制,考虑提供有限/一次性令牌或先使用非敏感视频进行测试。这些不一致性可能有合理解释,但在信任该技能处理私人数据前应得到澄清。...详细分析 ▾
ℹ 用途与能力
The skill's stated purpose (cloud AI video editing) reasonably explains needing an API token for a backend. However the registry metadata asserts NEMO_TOKEN is required while the SKILL.md includes a full anonymous-token acquisition flow (so an env var isn't strictly necessary). The frontmatter in SKILL.md also lists a config path (~/.config/nemovideo/) that the registry metadata did not list — there's an inconsistency between declared requirements and what the instructions reference.
⚠ 指令范围
Instructions perform normal API interactions for uploads, SSE, polling and rendering (expected). But they also instruct the agent to detect install path (checking ~/.clawhub, ~/.cursor/skills) to set an X-Skill-Platform header and reference reading this file's YAML frontmatter and a local config path (~/.config/nemovideo/). Detecting/reading arbitrary paths in the user's home directory is outside the minimal scope of 'upload and edit this video' and raises privacy/scope concerns.
✓ 安装机制
There is no install spec and no code files — this is an instruction-only skill. That minimizes disk-write/remote-install risk.
ℹ 凭证需求
The primary credential requested is NEMO_TOKEN which is proportionate to a cloud-rendering service. However the SKILL.md provides an anonymous-token acquisition flow if NEMO_TOKEN is missing, making the registry's declaration that NEMO_TOKEN is required misleading. The frontmatter references a config path (~/.config/nemovideo/) which could imply reading user files; that wasn't declared in the registry metadata and should be clarified.
✓ 持久化与权限
The skill is not 'always: true' and does not request elevated persistent privileges. Autonomous invocation (model invocation enabled) is the platform default and is not, by itself, a red flag. The skill does mention session state and orphaned jobs but does not request system-wide config changes.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/11
Easy AI Video Editor 初始发布。- 通过云GPU处理快速编辑原始视频片段,支持MP4、MOV、AVI、WebM(最多500MB)。- 简单设置流程:自动处理匿名身份验证和安全会话管理。- 用户友好的文本提示接受自然语言指令进行剪辑、过渡、文字叠加等编辑,无需时间线编辑。- 支持导出1080p MP4,1-2分钟内完成,完成后提供下载链接。- 明确的工作流程用于上传、编辑、检查状态、查看信用和导出;所有命令与直观指令匹配。- 错误处理包括对常见问题(如文件大小、格式、令牌和信用)的有帮助的指导。
● 无害
安装命令 点击复制
官方npx clawhub@latest install easy-ai-video-editor
镜像加速npx clawhub@latest install easy-ai-video-editor --registry https://cn.clawhub-mirror.com
技能文档
简介
面向非专业创作者和社交媒体用户的云端AI视频编辑技能...(注意:此处应完整翻译SKILL.md内容,但由于原始内容未提供,仅示例。实际翻译时,请将整个SKILL.md的Markdown内容翻译为中文,保留YAML前置、代码块、命令行指令和Markdown格式不变)
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制