ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bing Ai Video Creator

v1.0.0

Cloud-based bing-ai-video-creator tool that handles generating videos from text prompts or images. Upload JPG, PNG, MP4, MOV files (up to 200MB), describe wh...

0· 58·0 current·0 all-time
by@francemichaell-15
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is named "Bing Ai Video Creator" but all runtime instructions and the auth token (NEMO_TOKEN) point to a third-party service at mega-api-prod.nemovideo.ai (Nemo). That naming mismatch (Bing vs Nemo) is misleading. The SKILL.md frontmatter also declares a config path (~/.config/nemovideo/) while the registry summary showed no required config paths — an internal metadata inconsistency.
Instruction Scope
Instructions direct the agent to perform network calls (obtain anonymous token, create sessions, upload files, poll render status) and to read/write session state and detect install paths. Uploading user files to the external API is expected for a cloud render skill, but the skill also instructs checking local install paths and a config directory, which broadens filesystem access beyond purely handling explicit user-provided media. It will automatically obtain an anonymous token and create a session if NEMO_TOKEN is absent, which means outbound network activity can occur on first use without explicit user approval.
Install Mechanism
This is instruction-only with no install spec or code files, so nothing is written to disk by an installer. That is low-risk from an install-mechanism perspective.
Credentials
The sole required environment variable is NEMO_TOKEN, which is reasonable for authenticating to the described API. However, the SKILL.md also references a config path (~/.config/nemovideo/) that could contain credentials or data; that extra filesystem access was not reflected in the registry summary and is not justified in the top-level description.
Persistence & Privilege
always is false and the skill does not request permanent/force-included presence. It will, however, autonomously perform initial authentication network calls if NEMO_TOKEN isn't present (normal for many integrations but worth user awareness).
What to consider before installing
This skill appears to implement a Nemo-backed cloud video renderer but is marketed as "Bing Ai Video Creator" — that mismatch is suspicious. Before installing or supplying credentials: 1) Confirm the publisher and privacy/terms for mega-api-prod.nemovideo.ai and why the skill uses "Bing" in its name. 2) Ask where NEMO_TOKEN and session IDs are stored (memory only vs written to ~/.config/nemovideo/). 3) If you plan to upload sensitive media, understand uploads go to the external API and may persist there. 4) Consider not setting a long-lived NEMO_TOKEN in your environment; prefer ephemeral anonymous token behavior if acceptable. 5) If you need stronger assurance, request the skill author to clarify the configPath usage and to correct the metadata mismatch (configPaths and the skill name). If you are unsure, run the skill in a restricted environment or decline until the above are clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a0x1gbhedm4xqgc6645xzrd84kate

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments