Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Text To Video In Canva
v1.0.0convert text prompts into ready-to-share videos with this skill. Works with TXT, DOCX, PDF, copied text files up to 200MB. marketers use it for converting wr...
⭐ 0· 23·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill is named and described as 'Text To Video In Canva' but every API endpoint and credential (NEMO_TOKEN) referenced in SKILL.md targets mega-api-prod.nemovideo.ai / nemo_agent, not Canva. No Canva credentials, endpoints, or official Canva integration are present. Additionally, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the provided registry metadata lists no required config paths — an inconsistency in what the skill claims to need versus registry data.
Instruction Scope
Runtime instructions direct the agent to create sessions, optionally fetch an anonymous token, upload user files (multipart or by URL), stream SSEs, and poll render status on an external service. Uploading user-supplied files and text to a remote API is expected for a cloud-render skill, but it does mean user content (and any NEMO_TOKEN if present) will be sent to an external domain. The instructions also require specific attribution headers and an 'auto-detect' X-Skill-Platform value (which implies reading install context), and they differ from registry-supplied requirements (see above). There are no instructions that read unrelated local system files, but the skill will transmit user-provided files and possibly a token to an external service.
Install Mechanism
No install script or binaries — instruction-only. This minimizes on-disk risk since nothing is downloaded or executed locally by an installer.
Credentials
Only one credential (NEMO_TOKEN) is requested, which aligns with the nemo backend used in the instructions. That is proportionate if you expect the skill to use nemovideo's API. However, the skill name implies Canva integration (which would require different credentials), so the requested environment access does not match the marketing name. The skill also documents obtaining an anonymous token from the remote API if no NEMO_TOKEN is provided — this is functional but will grant the remote service temporary access to uploads.
Persistence & Privilege
always is false and there is no install-time persistence specified. The skill may be invoked autonomously by the agent (default behavior) and that could cause uploads to the remote service without additional prompts, so ensure you understand invocation behavior before sending sensitive content.
What to consider before installing
This skill appears to send text and uploaded files to a third‑party service (mega-api-prod.nemovideo.ai) and expects a NEMO_TOKEN — but it is labeled as 'in Canva', which is misleading. Before installing: 1) Verify the publisher and ask for a homepage or privacy/terms so you can confirm who runs mega-api-prod.nemovideo.ai. 2) If you expect an official Canva integration, do not install — this is not using Canva's API. 3) Avoid uploading sensitive or proprietary content; test with non-sensitive sample data first. 4) If you provide a NEMO_TOKEN, ensure it is scoped/minimal and rotate it afterward if necessary. 5) Ask the skill author to resolve metadata inconsistencies (registry vs SKILL.md configPaths and the misleading name). If these questions are unanswered, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk976fwfk7yx2phzjv766ks6d9984pd1a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN