Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Bing Video Creator Ai
v1.0.0Cloud-based bing-video-creator-ai tool that handles generating videos from text prompts or images. Upload MP4, MOV, PNG, JPG files (up to 200MB), describe wh...
⭐ 0· 59·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is presented as "Bing Video Creator AI" but all API endpoints point to mega-api-prod.nemovideo.ai (a third‑party domain), which suggests the name is misleading. Registry metadata earlier reported no required config paths but the SKILL.md frontmatter includes configPaths: ["~/.config/nemovideo/"], an inconsistency. Other than that, the declared single credential (NEMO_TOKEN) and described cloud video operations are coherent with a video-generation integration.
Instruction Scope
Instructions are explicit about contacting the remote API, obtaining an anonymous token, creating sessions, uploading media, and polling for exports. They do not instruct accessing unrelated local files or credentials beyond NEMO_TOKEN. The guidance to "save session_id" implies the skill will persist session state (expected), and it warns not to print tokens. Nothing in the SKILL.md asks the agent to read system files or other credentials, but the presence of a config path in metadata (see above) is unexplained in the registry entry.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not download or write code to disk. That is the lowest‑risk install pattern.
Credentials
Only one environment variable (NEMO_TOKEN) is required, which is proportionate for an API integration. However, the skill can also obtain anonymous tokens by calling the remote auth endpoint; you should consider the sensitivity of any token placed in NEMO_TOKEN because it grants the skill the ability to create renders and upload data to the third‑party service. The required attribution headers (X-Skill-Source/Version/Platform) will be sent with every call and could be used for telemetry or enforcement.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It instructs saving a session_id for ongoing operations (expected). It does not request modifying other skills or global agent settings.
What to consider before installing
This skill appears to call a third‑party API (nemovideo.ai) rather than an official Microsoft/Bing service despite its name — that could be misleading. Before using: 1) Verify the provider (homepage, owner identity, and privacy/terms) — there is no homepage listed. 2) Prefer using an anonymous token (the SKILL.md supports that) rather than placing a long‑lived or high‑privilege credential in NEMO_TOKEN. 3) Ask the publisher why the skill is branded "Bing" and why SKILL.md lists a config path while registry metadata did not. 4) If you must provide a token, restrict its scope and expiration, and avoid using sensitive account credentials. 5) Consider testing with throwaway content and an anonymous token first; review network traffic and the remote service's data retention/privacy policy before uploading any private media.Like a lobster shell, security has layers — review code before you run it.
latestvk97edgzb5keq6keambhcahz2rs84kr2g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN