by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's declared purpose (cloud video editing) matches much of its instructions, but there are several mismatches and ambiguous behaviors—automatic anonymous token creation, hidden credential handling, and references to local config/install paths—that warrant caution before installing.
评估建议
This skill will upload your video files and contact an external service (mega-api-prod.nemovideo.ai). If you don't provide NEMO_TOKEN it will automatically request an anonymous token and keep session state for you — and explicitly tells the agent not to show raw token values. Before installing, ask: (1) Is the backend domain legitimate and do you trust its privacy/retention policy for your videos? (2) Where exactly will the skill store session_id and tokens (in-memory only or persisted to disk/e...详细分析 ▾
ℹ 用途与能力
The skill claims cloud video editing and its API endpoints, upload, render, and export flows align with that purpose. Requiring a NEMO_TOKEN is coherent. However, the SKILL.md frontmatter references a local config path (~/.config/nemovideo/) and metadata fields (X-Skill-Platform auto-detect) that are not reflected in the registry summary — this mismatch is unexplained and may imply additional local reads the registry didn't declare.
⚠ 指令范围
The runtime instructions tell the agent to automatically call an external auth endpoint to obtain an anonymous token when NEMO_TOKEN is absent, store session_id and use the token for all requests, and explicitly instruct the agent not to display raw token/API responses to the user. The skill also requires the agent to determine an install path to set X-Skill-Platform and references a config directory. Automatic background network calls and hidden handling of tokens broaden the scope beyond a simple upload/edit flow and are worth flagging.
✓ 安装机制
This is an instruction-only skill with no install spec and no code files; nothing is written to disk by an installer. That is the lowest install risk.
ℹ 凭证需求
Only NEMO_TOKEN is declared as required which is proportionate for a cloud video service. However, the skill will generate and use an anonymous token if none is present, and it references storing session state and reading/inferring install/config paths to populate headers — behaviors that expand credential and local-access scope beyond the single declared env var.
ℹ 持久化与权限
always is false and autonomous invocation is allowed (platform default). The SKILL.md instructs storing session_id and using tokens across requests but doesn't specify where or for how long (memory vs persistent storage). This ambiguity increases risk if tokens/sessions are persisted without user consent, but there is no explicit request for system-wide configuration changes.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/22
Initial release of Free Maker Editor — Create and Edit Videos Free. - Upload raw video clips (MP4, MOV, AVI, WebM up to 500MB) and receive polished, AI-edited videos at 1080p in minutes. - Supports quick tasks like trimming, adding transitions, and exporting ready-to-post final videos, ideal for fast-paced content creators. - Automated free session/token setup; 100 free credits valid for 7 days per user. - Seamless chat-based workflow: send files and simply describe edits — no sliders or complex UI. - Built-in error handling for supported formats, file size, credits, and authentication. - Includes typical use cases, quick start tips, and clear API mapping for all key actions.
● Pending
安装命令
点击复制官方npx clawhub@latest install free-maker-editor
镜像加速npx clawhub@latest install free-maker-editor --registry https://cn.longxiaskill.com