Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Tool For Video Creation
v1.0.0Skip the learning curve of professional editing software. Describe what you want — combine these images and audio into a 30-second promotional video with tex...
⭐ 0· 45·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description align with making network calls to a video-rendering backend and requiring a NEMO_TOKEN. That credential and the listed API endpoints are coherent with a cloud video service. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata provided to you listed no required config paths — this mismatch is unexplained.
Instruction Scope
Runtime instructions direct the agent to obtain an anonymous token automatically if NEMO_TOKEN is not present, create sessions, upload user media, and poll render status — all expected for the stated purpose. But the SKILL.md also tells the agent not to display raw API responses or token values to the user and says to “store the returned session_id” without specifying where or whether that storage is transient. That opacity about token/session handling increases risk (tokens could be persisted, hidden, or reused without user visibility).
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written to disk by an install step. That lowers install-time risk.
Credentials
The only declared required environment variable is NEMO_TOKEN, which is proportionate for a service that requires an API token. However, SKILL.md frontmatter also references a config path (~/.config/nemovideo/) that could contain credentials/config; the registry metadata shown to you did not declare this path. That discrepancy means the skill might expect or try to read local config without declaring it.
Persistence & Privilege
The skill is not marked always:true and has no install hooks, so it does not request elevated persistent presence. It does instruct keeping and reusing session_id tokens for the session lifecycle, which is normal, but where/how that data is stored is not specified.
What to consider before installing
This skill appears to be a front-end for an external video-rendering service (mega-api-prod.nemovideo.ai) and will upload media and use an API token. Before installing or using it, consider the following: (1) Confirm you trust the external domain (nemovideo.ai) because your media and generated tokens will be sent there. (2) Ask the skill author where session_id and any generated anonymous tokens are stored (in-memory only vs written to ~/.config or other files). The SKILL.md tells the agent to hide token values from users — ask for a transparent persistence policy. (3) If you have sensitive media, avoid automatic anonymous-token creation; prefer providing your own NEMO_TOKEN or verifying data retention policies. (4) The frontmatter references a local config path (~/.config/nemovideo/) but the registry metadata did not — request clarification or deny filesystem access. If you need stronger assurance, request the developer to (a) remove implicit token storage, (b) document exactly what is written to disk (if anything), and (c) provide a privacy/data-retention statement for uploaded media.Like a lobster shell, security has layers — review code before you run it.
latestvk972jm7r4k019b8bc3n4beh98d84ppd5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN