by 安全扫描
OpenClaw
安全
high confidenceThe skill's requirements and runtime instructions are coherent with a remote AI video-editing service: it asks for a single service token, uploads user video files, and calls the described external API endpoints — nothing in the package suggests it is trying to do unrelated or hidden actions.
评估建议
This skill appears to be what it says: a client for a remote video-editing API. Before installing or using it, consider: (1) it will upload whatever footage you hand it to a third-party endpoint (https://mega-api-prod.nemovideo.ai) — do not upload sensitive videos unless you trust the service and its privacy policy; (2) if you don't supply NEMO_TOKEN the skill will obtain an anonymous token by POSTing a generated client UUID to the API — this is expected but does make an outbound network call; (...详细分析 ▾
✓ 用途与能力
The skill claims to perform remote GPU-based video editing and its instructions require a NEMO_TOKEN and describe API endpoints for session creation, upload, render, credits, and state. These environment and network requirements are appropriate for the stated purpose. Minor inconsistency: the registry metadata reported no required config paths, but the SKILL.md frontmatter metadata lists a config path (~/.config/nemovideo/). That mismatch should be reconciled but does not by itself indicate malicious intent.
ℹ 指令范围
The SKILL.md stays largely within the expected scope (create session, upload footage, send SSE messages, poll render). It also instructs the agent to generate a UUID and call an anonymous-token endpoint if NEMO_TOKEN is absent — a reasonable fallback but means the agent will make network calls to obtain a token. The instructions also ask the agent to read the skill's own YAML frontmatter and to detect install paths (e.g., ~/.clawhub/ or ~/.cursor/skills/) to set X-Skill-Platform; reading install path metadata is minor scope creep and could reveal local path structure. Aside from that, there are no instructions to read unrelated system files or unrelated environment variables.
✓ 安装机制
No install spec or code files are present; this is instruction-only. That minimizes on-disk persistence and supply-chain risk.
✓ 凭证需求
Only a single credential (NEMO_TOKEN) is declared as required, which is proportional for a remote API service. The skill also documents an anonymous-token flow that generates a temporary token server-side if no token is provided. No unrelated secrets or multiple external credentials are requested.
✓ 持久化与权限
The skill does not request always:true and has no install-time hooks. It does mention that session tokens may leave orphaned cloud jobs if a client disconnects, but it does not request elevated system privileges or persistent installation.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/20
Initial release of AI Editor Generator — fast, AI-powered video editing in the cloud. - Instantly edit and export 2-minute screen recordings to 1080p MP4 by describing your desired result. - Simple upload and prompt workflow; no timeline editing or local installs required. - Handles cut detection, transitions, BGM, text overlays, and more via intent-based prompt routing. - Automatic backend connection and session management using NEMO_TOKEN or a starter token. - Supports common video and audio formats; 500MB max file size. - Provides clear status updates, timeline summaries, and error explanations throughout the process.
● Pending
安装命令
点击复制官方npx clawhub@latest install ai-editor-generator
镜像加速npx clawhub@latest install ai-editor-generator --registry https://cn.longxiaskill.com镜像同步中