Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Free Video Generation Model Api
v1.0.0Skip the learning curve of professional editing software. Describe what you want — generate a 10-second video clip of a futuristic city at night from a text...
⭐ 0· 10·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to generate short videos from text and its instructions call a remote video-generation API (POSTs, uploads, render endpoints) and request a single API credential (NEMO_TOKEN). That is coherent with the stated purpose. However: the skill metadata in the packaged SKILL.md references a config path (~/.config/nemovideo/) and install-path detection for X-Skill-Platform even though the registry metadata lists no config paths — an inconsistency worth noting.
Instruction Scope
Runtime instructions require contacting an external domain (https://mega-api-prod.nemovideo.ai), generating an anonymous token if no NEMO_TOKEN is present, saving a session_id, and determining an install path to derive an X-Skill-Platform header (checking ~/.clawhub/, ~/.cursor/skills/, etc.). The install-path check implies filesystem probes beyond purely handling user prompts. The instructions also say to persist tokens/session state but do not specify storage scope or protections. These behaviors are plausible for an API client but expand scope beyond simple text→video conversion and are not fully justified or documented.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That is lower-risk from an installation perspective because nothing is downloaded or written to disk by an installer step.
Credentials
Only one environment variable is declared (NEMO_TOKEN) which fits an API client. However the skill's embedded frontmatter also lists a config path (~/.config/nemovideo/) and the runtime instructions expect to detect local install paths to set a header; the registry-level metadata presented to you showed no required config paths. This mismatch means the skill may try to read local paths it didn't explicitly declare, which is disproportionate unless you accept that local caching or platform detection is needed.
Persistence & Privilege
always:false and normal autonomous invocation are used (expected). The skill instructs saving session_id and the acquired token (if generated) for subsequent requests; persisting credentials/session state is typical for API clients but the SKILL.md does not specify where or how long to persist, so there is some risk that tokens or session IDs could be stored in a less-restricted location. No directive to modify other skills or system-wide config is present.
What to consider before installing
This skill appears to implement a remote text→video API and asks for one API token (NEMO_TOKEN). Before installing: 1) Be cautious because the publisher/source is unknown and no homepage is provided — verify the domain (mega-api-prod.nemovideo.ai) and the service's reputation. 2) Prefer providing an ephemeral or limited-scope token (not your primary production credentials). 3) Expect the skill to contact the external API, generate anonymous tokens, and save session IDs/tokens; confirm where the agent persists those values (memory vs disk) and whether they are encrypted. 4) Note the SKILL.md references reading install paths/config directories — if you are concerned about filesystem probing, run the skill in a restricted/sandboxed environment. 5) If you need stronger assurance, request the publisher/source code or documentation and confirm the endpoints and data handling policy before use.Like a lobster shell, security has layers — review code before you run it.
latestvk970c4t9rdyt5xd1za2q7z7rx184rb06
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN