ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Video Generator Online Ai

v1.0.0

generate text or images into AI-generated videos with this skill. Works with MP4, MOV, PNG, JPG files up to 200MB. content creators and marketers use it for...

0· 35·0 current·0 all-time
by@linmillsd7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description map to the runtime instructions: the skill uses a single API (mega-api-prod.nemovideo.ai), requires a NEMO_TOKEN, creates sessions, uploads media, and requests renders. Requiring a token and upload/HTTP access is expected for a cloud video service.
!
Instruction Scope
The SKILL.md explicitly instructs generating an anonymous token, creating sessions, sending SSE messages, uploading files (multipart or by URL), and polling render endpoints — all expected for this function. However it also instructs detecting install path (~/.clawhub, ~/.cursor/skills/) and references a config path (~/.config/nemovideo/) in metadata. Those checks require reading the user's home filesystem and are not strictly necessary to perform video rendering; combined with arbitrary file upload, this broadens the skill's data access surface and increases the risk of unintended file reads or exfiltration.
Install Mechanism
Instruction-only skill with no install spec or bundled code — lowest install risk. Nothing is downloaded or written to disk by an installer step.
Credentials
Only a single credential (NEMO_TOKEN) is declared, which is appropriate for an API-backed service. Metadata also lists a config path (~/.config/nemovideo/) which suggests the skill may read or store tokens on disk; that is plausible but should be explicit. The skill's anonymous-token flow reduces need to supply long-lived credentials, which is positive.
Persistence & Privilege
The skill does not request always:true or system-wide changes. It is user-invocable and allows autonomous invocation (platform default), which is expected for skills. It does not declare modifications to other skills or system configs.
What to consider before installing
This skill appears to be a legitimate cloud video-generator, but exercise caution before installing because the backend hostname is unknown and the instructions tell the agent to read certain local paths and to upload files to an external service. Before you proceed: 1) Verify the service/domain (mega-api-prod.nemovideo.ai) and the skill author; 2) Avoid uploading sensitive or proprietary media to this skill; 3) If possible, use the anonymous token flow (short-lived token) rather than putting a long-lived credential in NEMO_TOKEN; 4) Expect the agent to access user-provided files and possibly probe ~/.config and a few install paths — refuse the skill if you don't want any filesystem probing; 5) Monitor network activity (or isolate the agent) when testing, and revoke/delete any tokens stored on disk after use. Because the source is unknown and the instructions allow file uploads and filesystem checks, treat this as higher-risk than a purely local tool.

Like a lobster shell, security has layers — review code before you run it.

latestvk978t68mgk1tcqm6pe97fc95px84rp1q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments