ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

The Best Ai Video Generator

v1.0.0

Cloud-based the-best-ai-video-generator tool that handles generating polished videos from text prompts or images. Upload MP4, MOV, JPG, PNG files (up to 500M...

0· 56·0 current·0 all-time
by@francemichaell-15
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (cloud video generation) align with the runtime instructions (session creation, upload, render, export endpoints). However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reports no required config paths — this mismatch is unexplained.
!
Instruction Scope
Instructions will send user files and text prompts to an external service (mega-api-prod.nemovideo.ai) and handle SSE streams; that is expected for this purpose but is a privacy/data-exfiltration vector the user should know about. The skill also directs the agent to auto-create an anonymous NEMO_TOKEN by POSTing to an auth endpoint if none is present. Another minor concern: it asks to 'auto-detect' platform from the install path for an X-Skill-Platform header, which implies the agent may inspect filesystem/install paths — this expands scope beyond pure API calls.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes disk write/remote-code-install risk.
Credentials
Only NEMO_TOKEN is declared as a required credential and is the primaryEnv, which fits a cloud API. The skill will attempt to mint an anonymous token if none exists; this behavior is reasonable but should be explicit to users. Ensure you do not accidentally supply unrelated high-privilege credentials; do not give production credentials unless you trust the service.
Persistence & Privilege
always:false, no install, and no instructions to modify other skills or system-wide config. The skill does ask the agent to keep session_id in memory for the session, which is normal and short-lived.
What to consider before installing
Before installing: 1) Confirm the API domain (mega-api-prod.nemovideo.ai) is a legitimate service you trust — this skill will upload user files (videos/images) to that remote service. 2) Understand privacy: uploaded content and prompts will leave your machine and be processed remotely; don't upload sensitive data unless permitted. 3) The skill will try to mint an anonymous NEMO_TOKEN if none is provided — if you prefer control, provide your own token or avoid giving any credentials. 4) Note the frontmatter mentions a config path (~/.config/nemovideo/) and an instruction to auto-detect an install path for X-Skill-Platform — ask the author to clarify whether the agent will read local filesystem/install paths and why. 5) If you need higher assurance, request the skill author or publisher identity, an official homepage, or run the skill in a sandboxed/ephermal environment and monitor outbound network calls before using with sensitive content.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bbq8pfe8hz6v3hxr17f9v6n84k4c1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments