ClawHub

C

v1.0.0

AI video creation and editing — generate videos from text descriptions, edit with background music, sound effects, titles, transitions, and export finished M...

0· 84·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Skill name/description (AI video creation/editing) match the instructions which call NemoVideo APIs and handle exports, uploads, credits, and SSE-based generation. Requiring/using a Nemo session token and a persisted client_id is appropriate for this purpose.
Instruction Scope
Instructions stay focused on talking to the NemoVideo backend, uploading files, creating sessions, rendering, and exporting. Notable issues: the instructions build a browser 'claim' URL that embeds the session token as a query parameter (token in URLs can leak via logs/referrers), and the guidance claims it will 'save token as NEMO_SESSION' without a clear, platform-neutral mechanism for persistent environment variable storage (ambiguous). The skill also writes ~/.config/nemovideo/client_id (UUID) to disk — this is expected but should be disclosed to users.
Install Mechanism
Instruction-only skill with no install spec or third-party downloads. No code or archive extraction is present, which minimizes install-time risk.
Credentials
The only credential is NEMO_SESSION (declared as primaryEnv), which is proportionate for a service that requires authenticated API calls. Slight inconsistency: SKILL metadata/registry marks NEMO_SESSION as the primary credential while the SKILL.md table labels it 'No' under Required and describes an auto-generation flow — this is a minor mismatch in documentation but not itself dangerous.
Persistence & Privilege
always:false and no broad system modifications requested. The skill persists a client_id at ~/.config/nemovideo/client_id (UUID only). There is potential for the skill to persist a session token depending on how the agent/runtime implements 'save NEMO_SESSION', so users should verify how tokens are stored.
Assessment
This skill appears to do what it claims (integrate with NemoVideo). Before installing: 1) Verify the homepage and decide whether you trust nemovideo.com. 2) Prefer creating and supplying your own revocable NEMO_SESSION API token (instead of letting the skill auto-generate and persist one). 3) Be aware the skill writes ~/.config/nemovideo/client_id (UUID) and its ‘claim’ link embeds the session token in the URL — avoid sharing that link publicly and revoke the token if it may have been exposed. 4) Confirm how your agent/runtime will persist NEMO_SESSION (if it does); if persistent storage is used, ensure it's stored securely and revoke tokens when no longer needed. 5) Only upload media you are allowed to share; review the service's privacy/TOS for how uploaded content and tokens are handled.

Like a lobster shell, security has layers — review code before you run it.

latestvk974aah2mh382bwms4f83d7gpd83bts7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
Primary envNEMO_SESSION

Comments