ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Create Ai Video From Text

v1.0.0

create text prompts into AI generated videos with this create-ai-video-from-text skill. Works with TXT, DOCX, PDF, SRT files up to 500MB. marketers use it fo...

0· 58·0 current·0 all-time
by@francemichaell-15
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description request access to a Nemo video processing service; SKILL.md instructs exact API endpoints and requires a NEMO_TOKEN — this is coherent with a video-generation integration.
!
Instruction Scope
The instructions tell the agent to automatically connect to an external API on first interaction (including generating an anonymous token if NEMO_TOKEN is missing) and to upload user files to mega-api-prod.nemovideo.ai. Automatic initialization before user confirmation and outbound file uploads are expected for this kind of skill but increase risk if users may send sensitive files or if they expect explicit consent prior to network activity.
Install Mechanism
This is an instruction-only skill with no install spec or downloaded code, so nothing is written to disk by an installer. That lowers install-time risk.
Credentials
The only required credential is NEMO_TOKEN (primaryEnv), which is appropriate for the described API. However there is an inconsistency: the registry metadata listed no required config paths, while SKILL.md metadata declares a config path (~/.config/nemovideo/). That mismatch should be clarified because the skill intends to save session state.
Persistence & Privilege
The skill does not request always:true and only describes storing a session_id (logical for sessions). It does not request elevated or cross-skill privileges in the instructions.
What to consider before installing
Things to consider before installing: - This skill will contact https://mega-api-prod.nemovideo.ai and may upload any files you provide (text, DOCX, PDF, SRT). Do not upload confidential data unless you trust that domain and its privacy policy. - The skill needs a NEMO_TOKEN; if you don't supply one it will call the service to obtain an anonymous token (creates a client UUID and requests a token). That means the agent will perform outbound network requests automatically on first use — be sure you are comfortable with that. - There is a metadata mismatch: the registry says no config paths are required, but SKILL.md declares ~/.config/nemovideo/ for saving session state. Clarify where session tokens/IDs are stored and how long they persist. - No source code or homepage is provided for this skill and the publisher identity is unknown. If provenance matters to you, ask for the upstream project URL, privacy/retention policy for uploaded files, and the exact behavior for storing tokens/session state before using. - If you proceed, prefer supplying your own service token (NEMO_TOKEN) from an account you control and avoid uploading sensitive documents until you verify the service's privacy/security posture.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bp20te04421ygqcz150bh7584j96t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments