ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Script Writer Free

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — write a YouTube script for a 3-minute video about budgeting tips for begin...

0· 48·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to generate video scripts and drive cloud rendering; the SKILL.md only talks to a Nemovideo API and accepts uploads and render jobs, so the required NEMO_TOKEN credential is expected. However, the skill's YAML frontmatter inside SKILL.md references a config path (~/.config/nemovideo/) and platform-detection via install path (~/.clawhub/, ~/.cursor/skills/) while the registry metadata reported no required config paths — this mismatch should be clarified.
Instruction Scope
Runtime instructions are largely scoped to the nemo API: obtain/use a NEMO_TOKEN (or request an anonymous token), create sessions, upload files, send SSE messages, poll render status, and return download URLs. The instructions also tell the agent to save session_id and include attribution headers; they instruct reading the agent's install path to set X-Skill-Platform. Reading install paths / config directories is beyond pure script-generation but is plausibly used for attribution — still worth verifying.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That is the lowest-risk install pattern (nothing additional is written to disk by an installer).
!
Credentials
The only declared secret is NEMO_TOKEN, which is appropriate for calling the third-party API. However, the SKILL.md metadata and runtime text request access to a local config path (~/.config/nemovideo/) and to detect install paths for attribution. Reading those local locations can expose unrelated local configuration or reveal other installed-skill metadata. Also the skill can obtain an anonymous token by calling an external endpoint and then treat that as NEMO_TOKEN — make sure you understand what permissions or credit limits that token grants. There is an inconsistency between the registry's reported required config paths (none) and the frontmatter's configPaths that should be resolved.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It instructs saving session_id and reusing tokens for the session lifecycle, which is normal for a remote-render workflow. Be aware that the platform default allows autonomous invocation; combined with the skill's ability to read local install/config paths, that increases potential privacy exposure if you enable the skill without restrictions.
What to consider before installing
What to check before you install/use this skill: - Verify the API domain (mega-api-prod.nemovideo.ai) is a service you trust. The skill will upload video/audio files and send them to that endpoint. - Prefer using an ephemeral/anonymous NEMO_TOKEN (the skill documents anonymous-token flow) rather than providing a long-lived personal token or credentials. - Clarify the config-path behavior: the SKILL.md asks to read ~/.config/nemovideo/ and to detect install paths (~/.clawhub/, ~/.cursor/skills/) for attribution. If you care about privacy, do not let the skill read your home config directories or other installed-skill paths. - Don’t upload sensitive video/audio or personally-identifying material unless you trust the service and understand retention/terms. - Ask the publisher (owner ID) for provenance: the skill source/homepage is unknown. If you need higher assurance, request a published homepage or source repo and an explanation for the configPath vs registry metadata mismatch. - If possible, run the skill in a restricted or disposable environment (or provide only anonymous tokens/limited credentials) until you are confident about behavior and data handling.

Like a lobster shell, security has layers — review code before you run it.

latestvk971c6q56cb3ybd2q4b3ddvb5n84pgwd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments