ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Generator Free Download

v1.0.0

generate text or images into ready-to-download MP4 with this skill. Works with MP4, MOV, PNG, JPG files up to 200MB. content creators and small business owne...

0· 17·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (generate downloadable MP4s) aligns with the single required credential (NEMO_TOKEN) and the API endpoints documented in SKILL.md. However, SKILL.md metadata includes a config path (~/.config/nemovideo/) that was not declared in the registry summary — this is an inconsistency worth clarifying (the skill may expect to read/write that directory).
!
Instruction Scope
Runtime instructions tell the agent to automatically contact an external backend, obtain an anonymous token if NEMO_TOKEN is absent, create sessions, upload user files, stream SSE, and poll render status. Those actions are coherent with video generation, but the skill explicitly directs automatic outbound network activity on first use and will transmit user-supplied media to a third-party host (mega-api-prod.nemovideo.ai) without an explicit per-use consent step in the instructions.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk and nothing is written during an install step by the skill itself. Risk comes from runtime behavior, not from installation.
Credentials
Only one credential is requested (NEMO_TOKEN), which is proportional to a cloud API integration. The SKILL.md also describes obtaining an anonymous token programmatically if none is present; this is reasonable but means the skill will create/use credentials on your behalf. It also mentions session and token values but gives no secure storage guidance; combined with the undocumented config path, storage behavior is ambiguous.
Persistence & Privilege
always:false (no forced global presence). The skill instructs storing a session_id for ongoing requests and SKILL.md metadata references a config directory — but it does not explicitly state where or how tokens/session IDs are persisted. That ambiguity means the skill might write files under ~/.config/nemovideo/ or other locations at runtime.
What to consider before installing
This skill will upload your media and connect to an external API (mega-api-prod.nemovideo.ai) and will auto-request an anonymous token if you don't provide one. Before installing: (1) confirm you trust nemovideo.ai and are comfortable uploading the kinds of files you will use; (2) decide whether to supply your own NEMO_TOKEN environment variable rather than allowing the skill to create an anonymous token; (3) ask the skill author or registry to clarify where session tokens and session_id are stored (SKILL.md references ~/.config/nemovideo/ but the registry did not), and whether anything is written to disk; (4) avoid using the skill with sensitive or confidential videos unless you verify the provider's privacy policy and retention practices. The mismatches and automatic-network behavior are not proof of malice, but they are reasons to proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk972k4522075j1068n8t1cszms84rbqz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments