ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clideo Add Music To Video

v1.0.0

Turn a 2-minute MP4 clip and an MP3 song into 1080p music-backed videos just by typing what you need. Whether it's adding background music to video clips or...

0· 56·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be a 'Clideo' add-music tool but all API endpoints target mega-api-prod.nemovideo.ai (a different brand). Requiring a NEMO_TOKEN is coherent for a nemo-video backend, but the name/branding mismatch and lack of a homepage/source raise provenance concerns. Also the SKILL.md metadata lists a config path (~/.config/nemovideo/) even though the registry metadata showed no required config paths — a registry ↔ skill-document inconsistency.
Instruction Scope
Instructions are specific about session creation, upload, SSE streaming, and export polling — all reasonable for a cloud render pipeline. They also instruct the agent to read the skill's YAML frontmatter at runtime and detect install path (~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform headers; this requires filesystem probing (reading the skill file and detecting install paths). That is plausible for attribution but is broader than a pure 'upload/merge' instruction and should be disclosed to users.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written to disk by an installer. Low install risk.
Credentials
Only a single credential (NEMO_TOKEN) is required, which is proportional to a cloud-rendering API. The skill also documents a fallback anonymous-token flow if no env var is present (POST to /api/auth/anonymous-token) — expected for anonymous use. No unrelated secrets are requested.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent presence or elevated platform privileges. The instructions do require reading the skill file/frontmatter and probing common install directories for attribution, but they do not instruct modifying other skills or system-wide settings.
What to consider before installing
This skill's functionality (upload a video/audio, call a cloud rendering API, return a download URL) is consistent, but there are two red flags you should check before installing or supplying credentials: - Branding/provenance: The skill name references 'Clideo' but all API endpoints are at mega-api-prod.nemovideo.ai and there is no homepage or known source. Ask the publisher to clarify which service/back end this uses and provide an official homepage or privacy policy. Do not assume it is affiliated with Clideo. - Metadata/file access: The skill's own instructions say it will read the skill file's YAML frontmatter and probe common install paths and ~/.config/nemovideo/. Decide whether you are comfortable with those filesystem checks. They can reveal where skills are installed and expose metadata; this is not credential exfiltration but is broader than a pure API call. Before proceeding consider: only provide a NEMO_TOKEN you control and that is scoped to the service; avoid reusing high-privilege credentials. If possible, test with an ephemeral or anonymous token first. If the author can provide a homepage, documentation for the nemovideo endpoint, or an explanation for the Clideo naming, that would raise confidence and could change this assessment to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dc4sgngfps90h0xnxabjj1d84ppjh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments