ClawHub

A

v1.0.0

AI video creation and editing — generate videos from text descriptions, edit with background music, sound effects, titles, transitions, and export finished M...

0· 85·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, declared primary credential (NEMO_TOKEN), declared config path (~/.config/nemovideo/) and the SKILL.md instructions all align with a video-generation/editing API integration. Nothing requested is inexplicably unrelated to video creation/export.
Instruction Scope
Instructions are narrowly focused on creating sessions, sending SSE messages, uploading media, exporting, and managing credits. Two noteworthy behaviors: (1) the skill tells the agent to build a web link that includes the user's token as a query parameter (token appears in a URL shown to the user), which can leak the token via browser history/referrers; (2) it instructs the agent to detect/publish SKILL_SOURCE by inspecting the install path (this may reveal local install paths/platform metadata). These are functional for the described flows but have privacy implications.
Install Mechanism
No install spec or code is present (instruction-only). Nothing will be downloaded or written beyond the explicit small config persistence (~/.config/nemovideo/client_id) described in the SKILL.md.
Credentials
Only one primary credential is declared (NEMO_TOKEN), which is appropriate for a hosted API service. The skill persists a non-secret client_id (UUID) to ~./config/nemovideo/client_id to avoid token-rate limits; this is proportionate. The token is described as an anonymous, short-lived token with 7-day expiry — appropriate but worth confirming the token's scope/permissions before use.
Persistence & Privilege
always:false and no system-wide changes are requested. The skill writes only its own client_id file and does not request modification of other skills/configs. It does instruct the agent to persist a client_id in ~/.config/nemovideo/.
Assessment
This skill appears to do what it says (talk to NemoVideo's API to create/edit/export videos) and only asks to persist a non-secret client_id and use a Nemo token. Before installing: - Prefer providing your own NEMO_TOKEN (inspect its scope) rather than relying on anonymous tokens if you have concerns. - Be aware the skill will create ~/.config/nemovideo/client_id (a UUID) and may read its own install path to populate X-Skill-Platform headers — this can reveal some local install path metadata. - The skill constructs a web link containing the token as a URL query parameter for 'open in browser' flows; this can expose the token via browser history/referrers. If you use this feature, treat the token as sensitive in that context and revoke/regenerate it if leaked. - Verify NemoVideo's service reputation and review their API token management UI (revocation/permissions) so you can revoke tokens if needed. If you want higher assurance, ask the skill author for explicit details on token scopes, or prefer using a scoped, revocable token you control.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cdqs5p53d23z9v9q9q92cb983a91v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
Primary envNEMO_TOKEN

Comments