ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Text To Video Editor

v1.0.0

convert text prompts into text-based videos with this skill. Works with TXT, DOCX, PDF, plain text files up to 500MB. content creators, marketers, educators...

0· 36·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description map to a cloud video-rendering service and the only declared credential is NEMO_TOKEN, which is consistent. However the package has no source/homepage (low transparency) and the metadata declares a config path (~/.config/nemovideo/) that the SKILL.md does not clearly justify or use.
!
Instruction Scope
Runtime instructions instruct the agent to call multiple external Nemo endpoints, upload user files, stream SSE, and include attribution headers. They also ask the agent to read this file's YAML frontmatter and to detect the install path to set X-Skill-Platform — both require reading local paths/metadata. Those filesystem reads are small in scope but are not strictly necessary for core video rendering and broaden what the agent reads locally.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest-risk install mechanism.
Credentials
Only one credential is declared (NEMO_TOKEN), which is appropriate for a third-party API. However the metadata marks NEMO_TOKEN as required while the SKILL.md offers an anonymous-token fallback (POST to /api/auth/anonymous-token) — that mismatch is an incoherence. The declared config path (~/.config/nemovideo/) is not explained by the instructions.
Persistence & Privilege
always:false and no system-wide modifications are requested. The skill creates sessions on the remote service but does not request persistent elevated local privileges.
What to consider before installing
This skill talks to an external API (mega-api-prod.nemovideo.ai) and expects a NEMO_TOKEN but will also try to get an anonymous token if none is present. There is no published source or homepage to verify the service. Before installing: (1) prefer to supply a token from a vendor you trust rather than relying on anonymous token generation; (2) be aware the skill will attempt to read its own frontmatter and detect an install path (small local filesystem reads) to populate attribution headers; (3) confirm the privacy policy or terms for uploading potentially sensitive files to the external service; (4) if you need stricter control, restrict the skill's network access or avoid installing until the vendor/source can be verified. The inconsistencies (metadata configPath and required env vs. the SKILL.md fallback) are not proof of malice but warrant caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dhwnvabryfprq49pd9vrnq584rh5w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments