ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Gen Script

v1.0.0

Turn a 200-word product launch script into 1080p script-based videos just by typing what you need. Whether it's generating videos automatically from written...

0· 56·0 current·0 all-time
by@linmillsd7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's description (convert scripts to videos) aligns with the API calls and endpoints in SKILL.md. However, the registry declares NEMO_TOKEN as required while the SKILL.md explicitly supports generating an anonymous token if NEMO_TOKEN is not present — this is an incoherence (the env var is marked required but the skill can operate without it). The SKILL.md also lists a config path (~/.config/nemovideo/) in its frontmatter while the registry report lists no required config paths.
Instruction Scope
The instructions confine activity to the external nemovideo API: session creation, SSE chat, uploads, state, credits, and export. There are no directives to read arbitrary system files or unrelated credentials. The only system interaction implied is detecting an install path to set an attribution header and an optional config path in metadata; these are plausible for attribution but should be explicitly confirmed.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is downloaded or written by an installer. This is low-risk from an install/execution standpoint.
Credentials
Only one credential (NEMO_TOKEN) is declared, which is appropriate for calling the external API. But the SKILL.md's ability to obtain an anonymous NEMO_TOKEN at runtime makes the declared 'required' nature of the env var misleading. The frontmatter also references a config path where tokens might be stored — the skill does not explicitly document writing there, so verify whether tokens or metadata are persisted to ~/.config/nemovideo/.
Persistence & Privilege
The skill is not force-installed (always:false) and uses normal autonomous invocation settings. It does not request special persistent system privileges in the SKILL.md. Be aware it will create and use session tokens and may orphan server-side jobs if a session is closed mid-render (documented behavior).
What to consider before installing
What to consider before installing: - This skill will send any provided script and uploaded media to https://mega-api-prod.nemovideo.ai for cloud rendering. Do not send sensitive or private content unless you trust that service and have reviewed its privacy/terms. - The registry says NEMO_TOKEN is required, but the skill can fetch an anonymous token itself if NEMO_TOKEN is absent — ask the publisher which behavior is intended and whether anonymous tokens or acquired tokens are ever persisted locally (SKILL.md mentions a config path in its frontmatter). - Confirm what (if anything) is written to ~/.config/nemovideo/ or other local paths and how long anonymous tokens remain valid. - Verify the service domain (mega-api-prod.nemovideo.ai) — there is no homepage or source listed in the registry, which reduces transparency. If you need stronger assurance, request the author's source code or a homepage, test with non-sensitive sample content, and consider using an account-specific token rather than environment-wide secrets. - Overall: functionally coherent for a cloud video service, but the metadata/env inconsistencies and lack of publisher/source information justify caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk978r4ms49kg339mhw2g567qed84q7ew

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments