ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Text To

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — turn this text into a 30-second promotional video with visuals and music —...

0· 47·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (convert text to short promotional videos) match the APIs and endpoints documented in SKILL.md (session creation, SSE generation, upload, render/export). Requesting a NEMO_TOKEN credential or using an anonymous token is coherent with a cloud-rendering service.
!
Instruction Scope
Instructions include filesystem/installation-path detection (to set X-Skill-Platform) and the SKILL.md frontmatter indicates a config path (~/.config/nemovideo/) that the agent may read. The registry metadata shown to you earlier listed no required config paths, creating an inconsistency. The instructions also describe generating anonymous tokens and uploading user files — expected for the service but worth noting because uploads and token handling involve user data and credentials.
Install Mechanism
No install spec and no code files (instruction-only). This minimizes on-disk persistence and arbitrary code execution risk.
Credentials
Only NEMO_TOKEN is declared as the primary credential, which is proportional for a third-party API. However, the SKILL.md provides a fallback flow that generates an anonymous token via the service API, and the frontmatter metadata references a config path (~/.config/nemovideo/) that could be used to read stored credentials — this is not reflected in the registry summary you were shown.
Persistence & Privilege
always:false and no install hooks. The skill can run autonomously per platform defaults, but it does not request permanent platform-wide privileges. The only persistence hinted is session/anonymous tokens from the service (7-day anonymous token), which is expected for short-lived cloud jobs.
What to consider before installing
This skill appears to implement a legitimate text→video cloud service (uses nemovideo.ai endpoints) and needs a NEMO_TOKEN (or it will request an anonymous token). Before installing or invoking it: 1) note the SKILL.md references a config directory (~/.config/nemovideo/) and install-path detection (~/.clawhub/, ~/.cursor/skills/) — clarify whether the skill will read those paths and why, because the registry metadata you saw did not list them; 2) avoid putting highly sensitive credentials in NEMO_TOKEN unless you trust the service and its owner; prefer letting the skill use an anonymous token if you only need a quick test; 3) be aware any files you upload will be sent to the external API (video/media, documents), so don't upload private secrets or PII you wouldn't want transmitted to a third party; 4) because the skill is instruction-only, it doesn't install code locally—that reduces some risk, but network calls to the external domain are required. If you want higher assurance, ask the publisher to confirm (a) whether the skill reads ~/.config/nemovideo/ or other local files, (b) whether it persists tokens locally and where, and (c) to provide a canonical homepage or source repository for review.

Like a lobster shell, security has layers — review code before you run it.

latestvk977g32xzxnqc45nz6nnama7dn84m1n7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✍️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments