Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Fast To Video Ai
v1.0.0Cloud-based fast-to-video-ai tool that handles converting text scripts into finished videos quickly. Upload TXT, DOCX, PDF, MP4 files (up to 200MB), describe...
⭐ 0· 38·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (convert text to videos via a cloud API) matches the runtime instructions and the single required credential (NEMO_TOKEN). However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that the registry metadata earlier said was 'none' — this inconsistency could indicate the skill expects to read user config files (potentially stored tokens) even though the registry record doesn't list that. Owner/homepage are unknown, which reduces transparency.
Instruction Scope
Instructions are specific about establishing a session, posting messages (SSE), uploads, and exports to the nemovideo API endpoints. They direct generation of an anonymous token if NEMO_TOKEN is absent and require specific headers. There are no broad or vague instructions to read unrelated files (e.g., shell history) or exfiltrate arbitrary data. The only file/paths referenced are upload file paths and the optional config path (~/.config/nemovideo/).
Install Mechanism
No install spec and no code files — instruction-only skill. This is lower risk because nothing is written to disk by an installer. All runtime behavior is API calls described in SKILL.md.
Credentials
Only one required env var (NEMO_TOKEN) which is proportionate for a cloud service. The concern is the SKILL.md frontmatter suggests a config path (~/.config/nemovideo/) that could contain credentials; the registry metadata lists no config paths. That mismatch means the skill might read stored local tokens/configs even if the registry didn't advertise that, so users should confirm whether local config access will occur.
Persistence & Privilege
Skill is not always-enabled and does not request elevated persistence. It can be invoked autonomously (platform default), which is normal; no evidence it modifies other skills or system-wide settings.
Scan Findings in Context
[no_code_files_instruction_only] expected: The scanner found no code files; SKILL.md is instruction-only. Absence of findings is expected but means static regex scans provide limited signal.
What to consider before installing
This skill's behavior is mostly coherent with its description, but take these precautions before installing: (1) Confirm whether the skill will read ~/.config/nemovideo/ (SKILL.md claims it) — inspect the skill frontmatter and ask the publisher if unclear. (2) Prefer using an anonymous starter token for one-off use rather than placing a long-lived NEMO_TOKEN in your environment; don't supply production/critical tokens unless you trust the service. (3) Verify the service domain (mega-api-prod.nemovideo.ai) and the publisher since homepage and owner info are opaque. (4) Be cautious about uploading sensitive content — uploads go to a cloud GPU service and may be stored/processed. If you need higher assurance, request source or a homepage from the publisher or decline until metadata inconsistencies are resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk97egj5msq7mxc9gk05n430b1184mh86
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚡ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN