ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Generator From Text Free

v1.0.0

generate text prompts into text-based videos with this ai-video-generator-from-text-free skill. Works with TXT, DOCX, PDF, plain text files up to 500MB. mark...

0· 59·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (text→video) align with the runtime instructions (upload text, create session, SSE for edits, export MP4). Requesting a single API token (NEMO_TOKEN) is proportionate to the service. However, the skill has no listed homepage or known source, which reduces provenance and auditability.
Instruction Scope
The SKILL.md describes concrete API calls (session creation, SSE, upload, render/export) and only asks the agent to interact with the service's endpoints. It does not instruct reading unrelated user files or secrets. One inconsistency: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata earlier indicated no required config paths — the skill may expect or use local config but that expectation is not reflected in registry metadata.
Install Mechanism
Instruction-only skill (no install spec, no bundled code), so nothing is downloaded or written to disk by an installer. This is the lowest install risk.
!
Credentials
The only declared credential is NEMO_TOKEN, which is appropriate for calling the remote API. But the skill will fall back to obtaining an anonymous token by POSTing to an external endpoint if NEMO_TOKEN is absent — this means the agent will always obtain/hold a bearer token (either user-provided or service-issued). The skill will also upload user files (up to 500MB) and send them to the third-party domain, so sensitive data could be transmitted. The earlier mismatch about configPaths is another red flag for undeclared local config access.
Persistence & Privilege
Skill does not request always:true and does not appear to modify other skills or system-wide settings. It uses ephemeral session tokens for renders and does not declare elevated platform privileges.
What to consider before installing
This skill appears to implement what it promises (send text/files to a third-party API to generate videos), but exercise caution before using it: 1) There is no listed homepage or known source—verify the service domain (mega-api-prod.nemovideo.ai) and the vendor before uploading anything sensitive. 2) The skill will use NEMO_TOKEN from your environment (or request an anonymous token automatically) and will upload user files (up to 500MB) to the remote API; do not send private/confidential data unless you trust the service and its privacy policy. 3) Confirm the expected config path (~/.config/nemovideo/) and whether the agent will read local files there—the registry metadata and SKILL.md disagree. 4) If you proceed, prefer using a limited-scope or disposable token (if the service supports it) and test first with non-sensitive content. 5) If provenance matters, ask the publisher for a homepage, documentation, or source so you can audit the service endpoints and token scopes before installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk971m2kxd366dns1s3vmwftcn584kxfv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments