Best Vue Component Generator
v1.0.0Skip the learning curve of professional editing software. Describe what you want — generate a reusable Vue 3 button component with props and emit events — an...
⭐ 0· 46·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's name/description (generate Vue component tutorial videos) match the runtime instructions (create a session, upload media, request render/export) and the single declared credential (NEMO_TOKEN) is appropriate for a remote rendering API. One inconsistency: the SKILL.md frontmatter references a config path (~/.config/nemovideo/) while the registry metadata earlier listed no required config paths — this suggests the skill expects a local nemovideo config but the registry didn't surface that requirement.
Instruction Scope
Instructions are explicit about creating sessions, uploading files (up to 200MB), and polling export endpoints on https://mega-api-prod.nemovideo.ai; that is consistent with the stated purpose. Important privacy note: user code and video files are uploaded to a third-party service. The skill also asks to include attribution headers and to detect an install path for 'X-Skill-Platform' (uses heuristics based on typical install paths) — that detection is harmless but relies on path-checking which isn't fully explained. No instructions ask the agent to read unrelated local secrets or system files beyond the (possibly implied) nemovideo config path.
Install Mechanism
There is no install specification and no code files — this is instruction-only, so nothing is written to disk by an installer. This is the lowest-risk install profile.
Credentials
Only NEMO_TOKEN is declared as required (primary credential), which is proportionate to a cloud-rendering API. However, the SKILL.md mentions a config directory (~/.config/nemovideo/) which could contain tokens or other credentials; the registry did not list that path. The skill will accept and upload arbitrary user files (code, media), so the primary privacy/credential risk is that the NEMO_TOKEN grants access to render/export and any data sent to the API is exposed to that third party.
Persistence & Privilege
The skill is not force-included (always:false) and uses the normal autonomous-invocation setting. It requests that the agent save a session_id for API calls during a session, which is reasonable and scoped to the service; it does not request elevated system privileges or modification of other skills' configs.
Assessment
This skill appears to do what it says: it uploads your code and video files to nemovideo.ai and uses a single API token (NEMO_TOKEN) to create sessions and trigger renders. Before installing or using it:
- Treat NEMO_TOKEN as powerful: anyone with it can make API calls (render, export). Don't reuse a token that grants broader access to other services. Create a dedicated token for this use if possible.
- Avoid uploading sensitive secrets or private data (credentials, private keys, proprietary source) to the service. Test with non-sensitive/sample content first.
- Confirm the config-path behavior: SKILL.md references ~/.config/nemovideo/ but the registry did not list that path — ask the skill author whether the skill will read that directory and what it stores there.
- Prefer skills with a known homepage or source; this skill has unknown source and no homepage, so weigh the trust of the external API.
- If you need stronger assurance, ask the author for a security/privacy statement and for a minimal-scope token option (or run the workflow with an anonymous token and disposable data).Like a lobster shell, security has layers — review code before you run it.
latestvk97af2jt1fm3g7n7dk5n277f9x84qr29
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚙️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN