ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Create Video Using Ai

v1.0.0

Cloud-based create-video-using-ai tool that handles generating videos from images or text prompts. Upload MP4, MOV, JPG, PNG files (up to 500MB), describe wh...

0· 59·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description align with the runtime instructions: the skill uploads media and calls a cloud render API. Requiring a NEMO_TOKEN (or obtaining one from the service) is consistent with a cloud video API.
!
Instruction Scope
SKILL.md instructs the agent to automatically connect to the backend when the skill is opened and to POST for an anonymous token if NEMO_TOKEN is not set, which causes network activity without an explicit user action. It also instructs use of local file paths for uploads (expected when the user supplies files) but additionally describes detecting install paths and a config directory (~/.config/nemovideo/) — implying the agent may probe the user's home directory. The skill also tells the agent not to display tokens, and to store session_id for subsequent requests, but doesn't specify where or how to persist those values (env vs config file).
Install Mechanism
There is no install spec or bundled code — this is instruction-only, so nothing is written to disk by an installer. Lowest install risk.
Credentials
Only one credential is declared (NEMO_TOKEN), which is appropriate for a single backend service. However the skill both expects a pre-set NEMO_TOKEN and provides an anonymous-token flow to obtain one automatically; metadata also declares a config path (~/.config/nemovideo/). Together these imply the skill may read or write tokens to disk or probe config locations, which is disproportionate unless the user explicitly agrees to persistent storage.
Persistence & Privilege
always:false (no forced inclusion). The skill can be invoked autonomously (default), which is normal for skills. There is no instruction to modify other skills or system-wide settings.
What to consider before installing
This skill appears to be a straightforward cloud video generator, but it will automatically talk to the vendor backend when first opened and can obtain an anonymous token on your behalf. Before installing, consider: 1) Do you trust the domain (mega-api-prod.nemovideo.ai) to receive your media? 2) Are you comfortable the skill may probe '~/.config/nemovideo/' and detect install paths in your home directory? 3) Where will the session token be stored (env vs a config file)? If you proceed, provide only media you are willing to upload to that service and, if possible, set your own NEMO_TOKEN or ask how/where the skill persists tokens so you can manage or revoke them. If you need higher assurance, request a version with explicit storage behavior (e.g., store session only in ephemeral memory) and an explicit user consent step before auto-connecting.

Like a lobster shell, security has layers — review code before you run it.

latestvk97apdramsf4aqzk6gszw9mah184k9f5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments