Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Free Suno Ai
v1.0.0Skip the learning curve of professional editing software. Describe what you want — generate a 30-second background track from a mood description — and get AI...
⭐ 0· 35·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (generate short AI music/video renderings) align with the runtime instructions (upload media, create session, stream SSE, request renders). Requiring a single service token (NEMO_TOKEN) is consistent with a cloud-backed renderer. However, SKILL.md's embedded metadata lists a required config path (~/.config/nemovideo/) while the registry metadata earlier states no required config paths — this mismatch is unexplained and should be clarified.
Instruction Scope
SKILL.md gives explicit API interactions: create/refresh session, send SSE messages, upload files, poll render status, and require specific attribution headers. All of those are within the domain of remote render/music generation. Items to note: (1) the instructions instruct the agent to obtain an anonymous token by POSTing to a remote endpoint if no NEMO_TOKEN is present, which will cause the agent to contact an external service and use the returned token as bearer auth; (2) it asks to 'auto-detect' install path to set X-Skill-Platform (this likely requires reading the runtime/install path); and (3) the skill instructs uploading user files (up to 200MB) to the remote service — a legitimate capability but a privacy surface to be aware of.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes disk-write/remote install risk: nothing is downloaded or installed by the skill itself.
Credentials
The skill only requests a single credential (NEMO_TOKEN) as primaryEnv, which is proportionate to calling a protected cloud API. However, SKILL.md metadata references a config path (~/.config/nemovideo/) not declared in the registry metadata; that could indicate the skill expects to read local configuration or cached credentials, and the registry/manifest mismatch should be resolved. Also, bearer tokens are powerful — anyone with NEMO_TOKEN can act as the user on that backend, so treat tokens as sensitive.
Persistence & Privilege
The skill does not request 'always: true' and has no install-time persistence. It does instruct creation/usage of short-lived session tokens on the remote service; that is normal for this type of client.
What to consider before installing
This skill appears to be a thin client that talks to mega-api-prod.nemovideo.ai to create sessions, upload media, start cloud renders, and stream progress. Before you install or use it:
- Be careful with NEMO_TOKEN: it's a bearer credential—only provide a token if you trust the service; otherwise prefer letting the skill obtain a temporary anonymous token.
- Do not upload sensitive or private media (personal videos, unreleased content, PII) because files are sent to an external service.
- The manifest has a metadata mismatch (SKILL.md references ~/.config/nemovideo/ while registry metadata did not list any config paths) and the skill source/homepage is missing — both reduce transparency. Ask the publisher for the source code or official homepage and for clarification about whether the skill will read local config files.
- Verify the service domain and its privacy/terms (nemovideo.ai) before providing credentials or sensitive uploads.
If the publisher provides source or a homepage and clarifies the config-path mismatch, and you only use ephemeral anonymous tokens and non-sensitive files, the risk is lower.Like a lobster shell, security has layers — review code before you run it.
latestvk9719g1kr5n2rw1yzwhvdynx3d84pee6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN