Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Vheer Ai Video Generator
v1.0.0Drop a concept, image, or script and watch it transform into a polished video — that's the power of vheer-ai-video-generator. This skill taps into Vheer's ge...
⭐ 0· 44·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the operations described in SKILL.md (text/image → cloud video generation). Declared primary credential (NEMO_TOKEN) is appropriate for an external video API. No unrelated service credentials are requested.
Instruction Scope
Runtime instructions instruct the agent to check NEMO_TOKEN, create an anonymous token via POST to the vendor API if missing, create sessions, use SSE endpoints, upload files/URLs, and read the skill's YAML frontmatter and install-path to set attribution headers. These actions are coherent with a cloud video service, but the automatic anonymous-token request means the skill can obtain bearer tokens on the fly (network calls, token extraction) without explicit additional user consent.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. No third-party packages or downloads are declared.
Credentials
PrimaryEnv is NEMO_TOKEN which is expected. However SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported none — an inconsistency. The skill also offers to mint an anonymous NEMO_TOKEN by calling the vendor API if none is present, which may be surprising to users who expect explicit credential provision.
Persistence & Privilege
always:false and no install/profile modification steps. The skill mentions keeping session_id during operation but does not instruct modifying other skills or system-wide settings. No forced persistent presence is requested.
What to consider before installing
This skill appears to do what it says (call Vheer's cloud API to generate videos), but pay attention before installing:
- It will call an external API (mega-api-prod.nemovideo.ai) and may upload files you provide — content will leave your machine. Only proceed if you're comfortable with that.
- If you don't supply NEMO_TOKEN, the skill will automatically request an anonymous token from the vendor and use it (100 free credits, 7-day expiry). Decide whether you want the skill to mint credentials on your behalf or prefer to supply your own token.
- There's an inconsistency: the SKILL.md frontmatter references a config path (~/.config/nemovideo/) not listed in the registry metadata. Ask the author what that path is used for and whether anything will be written there.
- The skill detects install path and reads its own frontmatter to construct attribution headers; this requires limited filesystem access. Confirm you're okay with that.
- Because the skill's source/homepage is unknown, consider requesting provenance or documentation from the publisher before granting credentials or uploading sensitive material. If you want to proceed cautiously, deny NEMO_TOKEN and test with non-sensitive inputs first.Like a lobster shell, security has layers — review code before you run it.
latestvk97e96d6whavnnrh6bgkp0fzs984f59s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN