Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Text To Video Creator
v1.0.0Get ready-to-share videos ready to post, without touching a single slider. Upload your written text prompts (TXT, DOCX, PDF, copied text, up to 500MB), say s...
⭐ 0· 53·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to convert text into videos and its instructions call a remote video-rendering API (auth, upload, render, export). Requiring a NEMO_TOKEN and calling the nemovideo.ai endpoints is coherent with that purpose. Minor mismatch: the registry metadata earlier listed no required config paths, but the SKILL.md frontmatter declares a config path (~/.config/nemovideo/). That inconsistency should be clarified.
Instruction Scope
Instructions direct the agent to automatically obtain an anonymous token when NEMO_TOKEN is absent, create and persist a session_id, and include attribution headers on every request. They do not explicitly state where tokens/session IDs are stored (though frontmatter suggests a config path). The skill also asks the agent to auto-detect an install path/platform for a required header value — that can require reading agent or filesystem state. These implicit read/write actions (storing tokens, reading install path) expand the agent's scope beyond just forwarding user text and uploads and should be made explicit and justified.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an installer in the manifest. The primary runtime behavior is HTTP requests to the external API.
Credentials
The only declared credential is NEMO_TOKEN (primaryEnv), which is appropriate for an external video service. However, the SKILL.md suggests generating and storing tokens automatically and the frontmatter mentions a user config path (~/.config/nemovideo/) — reading/writing that path grants filesystem persistence of credentials. The registry entry also inconsistently listed no config paths. Requesting only one service token is proportionate, but implicit persistent storage of that token increases risk and should be explicit to users/admins.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide privileges or to modify other skills. The only persistence implied is saving a session_id / token (per the instructions). Autonomous invocation is allowed (default) but that is normal for skills and not flagged by itself.
What to consider before installing
This skill will send your uploaded text and files to a third-party service (mega-api-prod.nemovideo.ai) to render videos and will use a NEMO_TOKEN for authorization. If no token is present it will automatically request an anonymous token and is likely to persist the token/session (frontmatter references ~/.config/nemovideo/). Before installing: (1) confirm you trust nemovideo.ai and review its privacy/terms (your content is sent to their servers); (2) prefer providing your own NEMO_TOKEN rather than letting the skill auto-generate/store it; (3) ask the author to clarify exactly where tokens/session IDs are saved and whether any other files are read; (4) avoid sending sensitive PII or secrets in prompts/uploads; (5) if you need stricter control, block filesystem writes for the skill or run it in a restricted environment. The inconsistencies between the declared registry metadata and the SKILL.md (config path presence) are worth resolving with the skill publisher before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97cz4564hqpnyfgn1y286ak7s84pr10
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN