ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Music Generator Free Ab Old

v1.0.0

Tired of searching royalty-free music libraries only to find tracks that don't quite fit your video's mood? The ai-music-generator-free skill creates origina...

0· 44·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (AI music generation) align with requested artifact: a single NEMO_TOKEN credential, NemoVideo API endpoints, and a config path under ~/.config/nemovideo/. Nothing requested appears unrelated to music generation.
!
Instruction Scope
Instructions include appropriate network calls (session creation, SSE, uploads) and reading/writing ~/.config/nemovideo/client_id. However the doc is internally inconsistent about token handling: it says 'don't expose tokens' but instructs generating/embedding tokens into a workspace claim URL (token in query string) which is insecure and could leak credentials. The skill also requires reading local install-paths to set X-Skill-Platform, which is likely unnecessary but low-risk. The instructions do not clearly require explicit user consent before uploading files or creating/storing tokens.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing is written to disk by an installer. The only persistent write described is saving client_id under ~/.config/nemovideo/, which is proportionate to the service but should be disclosed to users.
Credentials
Only NEMO_TOKEN is declared as required (primaryEnv). That is appropriate for a cloud music service. However, the skill will auto-request an anonymous token and write client_id if NEMO_TOKEN is absent — creating credentials automatically and storing them can be surprising. The token lifetime (100 free credits, 7-day expiry) and use in bearer auth mean this credential grants upload and generation privileges; users should understand that generated tokens are stored locally and sent to the remote service.
Persistence & Privilege
Skill is not always-enabled and has no install-time persistence mechanism beyond writing its own config file (~/.config/nemovideo/client_id). It does not request elevated system privileges or modify other skills' configs.
What to consider before installing
This skill looks like a real NemoVideo client for generating music, but proceed with caution. Key points to consider before installing or using it: - Upload risk: using the skill will upload your video files to nemo's cloud service — do not use it for sensitive/private videos unless you trust the provider and reviewed their privacy terms. - Token handling: if you don't provide NEMO_TOKEN, the skill will create and store an anonymous token (and a client_id) in ~/.config/nemovideo/. That token is used for all API calls and could be embedded in a shareable URL (the instructions include putting the token in a workspace-claim query param) — embedding tokens in URLs is insecure and can leak credentials. - Ask the skill to show the exact API calls and the contents of any URL it will open before it uploads anything. Prefer to supply your own NEMO_TOKEN rather than allowing the skill to auto-generate one. - Inspect ~/.config/nemovideo/ after first run and delete stored tokens if you want to revoke access; consider using a temporary account or token with limited scope/credits. - If you are uncomfortable with automatic token generation, token-in-URL behavior, or uploading to a third-party service, do not install/use the skill. If you want, I can draft a short prompt to ask the skill to (a) show exactly what it will POST before doing it, (b) avoid embedding tokens in URLs, and (c) require explicit confirmation before uploading any file.

Like a lobster shell, security has layers — review code before you run it.

latestvk97agq96zv6bgjwfs6gmvkkh7n83wc1r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments