Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Free Batch Video Creator
v1.0.0Get batch MP4 videos ready to post, without touching a single slider. Upload your images or clips (MP4, MOV, JPG, PNG, up to 500MB), say something like "crea...
⭐ 0· 57·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (batch video creation) matches the API endpoints and the single required credential (NEMO_TOKEN) declared in SKILL.md. However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata listed no required config paths — this mismatch is an internal inconsistency. Also the skill asks you to add X‑Skill‑Platform by detecting install paths (e.g. ~/.clawhub/, ~/.cursor/skills/) which is not strictly necessary for basic video rendering.
Instruction Scope
Runtime instructions include creating/using a bearer token, opening sessions, uploading files (multipart using local paths) and reading/detecting install paths to set X‑Skill‑Platform. The 'detect install path' behavior requires inspecting the user's home directories, which is outside the minimal scope of uploading media and rendering videos and could reveal what other tools/skills are installed. Instructions also assume the agent can reference local filesystem paths for uploads, which may not map to how users actually provide files in the platform.
Install Mechanism
No install spec and no code files — instruction‑only. That minimizes risk from arbitrary code installation.
Credentials
The only declared required credential is NEMO_TOKEN, which is appropriate for a service that authenticates to a rendering API. The SKILL.md also documents an anonymous-token flow (POST to mega-api-prod.nemovideo.ai) to mint a temporary token. Be aware the anonymous token endpoint and the NEMO_TOKEN grant API access and credits; their scope and lifetime should be validated before trusting the token. The instruction to probe install paths could expose other local configuration that isn't needed for video creation.
Persistence & Privilege
The skill does not request always: true and has no install behavior. It asks to persist a session_id for ongoing jobs (normal for long‑running cloud jobs) but does not request system‑wide config changes or other skills' credentials.
What to consider before installing
This skill talks to a remote service (mega-api-prod.nemovideo.ai) and needs a NEMO_TOKEN to work; that is expected for a cloud rendering tool. Before installing, consider: 1) Only provide a token with minimal scope or use the anonymous token flow if you don't want to supply long‑lived credentials; verify what that token can do and how to revoke it. 2) The skill asks the agent to inspect install paths (~/.clawhub, ~/.cursor/skills) to set an attribution header — if you don't want the agent probing your home directory or revealing what other tools you have installed, deny or sandbox that behavior. 3) The SKILL.md and registry metadata disagree about config paths (inconsistency); ask the publisher to clarify. 4) Test the skill first with non‑sensitive, small media files and monitor network activity; if you see unexpected requests or it asks for unrelated credentials, stop and revoke tokens. If you need higher assurance, request the skill's source or a signed publisher homepage before trusting it with credentials or private files.Like a lobster shell, security has layers — review code before you run it.
latestvk97841m2p903wvjw9ckj8kdw8584pssm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN