Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Audio
v1.0.0Get clean audio video ready to post, without touching a single slider. Upload your video with audio (MP4, MOV, AVI, WebM, up to 500MB), say something like "r...
⭐ 0· 58·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the runtime instructions (upload video, call a remote rendering API). Requesting a NEMO_TOKEN credential is coherent for this service. However, the registry metadata at the top lists no required config paths while the SKILL.md frontmatter and metadata mention a config path (~/.config/nemovideo/). That mismatch should be clarified.
Instruction Scope
Instructions direct the agent to (a) generate an anonymous token by POSTing a UUID to an external endpoint if NEMO_TOKEN is absent, (b) create and persist a session_id, (c) upload user files via multipart/form-data and poll render endpoints, and (d) detect an install path to set an attribution header. Generating/storing tokens and probing install paths implies filesystem/network actions beyond simple API calls — this is reasonably related to the stated task but increases the skill's access surface and may involve reading/writing local state (and leaking inferred platform info).
Install Mechanism
Instruction-only skill with no install spec or downloaded code; this minimizes on-disk risk. All runtime behavior is via outbound HTTP to the referenced API endpoints.
Credentials
Only one credential (NEMO_TOKEN) is required, which is proportionate for a remote processing service. Caveats: SKILL.md also references a local config path (~/.config/nemovideo/) in metadata (not declared in the registry header), and the skill instructs creating an anonymous token if none is present — this will result in contacting the external service and receiving a token that the agent will treat as NEMO_TOKEN (100 credits, 7‑day expiry).
Persistence & Privilege
Skill does not request always:true and does not ask to change other skills or system-wide configs. It does instruct saving a session_id / using tokens, which is normal for session-based APIs but you should confirm where (and for how long) these values are persisted.
Scan Findings in Context
[no-regex-findings] expected: The static regex scanner had no code to analyze (instruction-only skill with a single SKILL.md). Absence of findings is not evidence of safety — the SKILL.md is the primary attack surface.
What to consider before installing
This skill looks like it does what it says (uploads a video and calls a remote API to enhance audio) and only asks for a single service token. Before installing: 1) Confirm you trust https://mega-api-prod.nemovideo.ai (uploads include your video/audio and may be stored/processed there). 2) Ask the author to resolve the metadata mismatch (registry says no config paths but SKILL.md lists ~/.config/nemovideo/). 3) Clarify where session tokens/session_id are stored and for how long (in-memory vs written to disk). 4) If you don't want persistent access, prefer supplying a short‑lived or scoped token rather than a long‑lived credential. 5) If you’re concerned about local path probing, ask whether the agent actually accesses the filesystem to detect install paths or can default to 'unknown'. These clarifications will reduce the remaining uncertainties.Like a lobster shell, security has layers — review code before you run it.
latestvk970xz39gc3gebpve0rhv93mx984mktw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎧 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN