ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Music Cog

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — add free background music to my video automatically — and get music-backed...

0· 56·0 current·0 all-time
by@dsewell-583h0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (add royalty-free music to videos) match the runtime instructions (endpoints for upload, session, export). The single required env var (NEMO_TOKEN) is appropriate for an API-backed service. However, SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that the registry metadata reported as 'none' — this mismatch is unexplained and worth verifying.
!
Instruction Scope
Instructions direct the agent to: create or reuse a bearer token, POST potentially large user video files (up to 500MB) to https://mega-api-prod.nemovideo.ai, create sessions, poll render status, and read the skill's YAML frontmatter at runtime to set attribution headers. Uploading user files and reading local config/frontmatter are expected for this use case, but they are privacy-sensitive actions and the skill's origin is unknown. The instructions also require storing session_id/token state and explicitly tell the agent not to print tokens (which is good), but they do not clearly specify where or how long tokens/session data are persisted.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by an installer step from the skill itself.
!
Credentials
Only NEMO_TOKEN is required, which is proportional for calling the service. However, the frontmatter indicates the skill may read a config path (~/.config/nemovideo/) to locate credentials/preferences; that access was not declared in the registry's 'Required config paths' field. Implicit file access to a user's home directory increases the privacy/credential risk and should be explicitly disclosed.
Persistence & Privilege
The skill is not marked 'always:true' and is user-invocable. It requests session tokens and may save session_id locally for the duration of a session, which is normal. It does not request system-wide privileges or claim to modify other skills.
What to consider before installing
This skill appears to be a cloud-backed video/music processor and will upload whatever video files you provide to https://mega-api-prod.nemovideo.ai and use a bearer token (NEMO_TOKEN). Before using it: 1) Verify the service/operator — there is no homepage or source URL in the registry; prefer skills with a verifiable publisher. 2) Don't upload sensitive or private video/audio until you trust the destination and its privacy policy. 3) Check whether you already have credentials in ~/.config/nemovideo/ (the skill may try to read that); remove or inspect them if you don't want them used. 4) If possible, test with a short non-sensitive sample file and a disposable token (anonymous token flow is supported). 5) Confirm how long session tokens are stored and where; revoke tokens or clear saved session data after use. If any of these points are unacceptable, avoid installing or using this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk9731nabaqdqx8swcr20yz7y4n84py3m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments