Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Letter Maker Online
v1.0.0Get personalized video letters ready to post, without touching a single slider. Upload your photos, text, audio (JPG, PNG, MP4, MP3, up to 200MB), say someth...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the runtime instructions: the skill talks to a single external service (mega-api-prod.nemovideo.ai) to create video letters and uses a single credential (NEMO_TOKEN). The declared API endpoints and actions (session creation, upload, SSE, render/export) are coherent with a cloud render pipeline.
Instruction Scope
Instructions include expected operations (check env, create anonymous token if absent, create session, upload files, poll render). They also instruct the agent to detect install paths (~/.clawhub/, ~/.cursor/skills/) to set an attribution header and to store session tokens for subsequent requests. Detecting install paths and storing session state is slightly outside pure 'upload/convert' scope but can be justified for attribution and session handling; the instructions are otherwise explicit about what API calls to make. The skill will send user files (photos/audio) to a third-party API — users should be aware of privacy implications.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be downloaded or written by an installer. That minimizes install-time risk.
Credentials
Only one credential (NEMO_TOKEN) is required, which is proportionate to the described cloud API. However there is an inconsistency: registry metadata listed no required config paths, while the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) and the skill both declares NEMO_TOKEN as required and gives instructions to auto-generate an anonymous token when one is not present. It's unclear whether the skill expects a pre-provisioned token or will create and persist one automatically — this ambiguity affects where credentials might be stored and for how long.
Persistence & Privilege
always:false (normal) and there's no installer, so the skill does not request permanent platform-wide presence. It does ask the agent to store a session_id and (implicitly) the anonymous token for later requests, and the frontmatter references a config path (~/.config/nemovideo/) where it may persist data. Confirm where tokens/sessions are stored if you require them to be ephemeral.
What to consider before installing
This skill sends your uploaded photos, text, and audio to a third-party API (mega-api-prod.nemovideo.ai) for cloud rendering and uses a single credential named NEMO_TOKEN. Before installing: (1) Decide whether you are comfortable uploading personal media to that external service and review its privacy/retention policy; (2) Clarify the credential behavior — the SKILL.md both lists NEMO_TOKEN as required and describes auto-generating an anonymous token (100 free credits, 7 days) and storing a session_id. Ask the publisher how/where tokens and session IDs are persisted (memory vs ~/.config/nemovideo/ vs environment); if you require tokens not be persisted, refuse automatic token creation; (3) Note the skill may read typical install paths to set an attribution header — this is low-risk but you should confirm it will not read unrelated files; (4) If you need stronger guarantees, request the skill source code or a privacy policy, and avoid uploading sensitive media until you verify storage/retention and token handling. The inconsistencies described above are why I rate this "suspicious" rather than "benign."Like a lobster shell, security has layers — review code before you run it.
latestvk97d3a2ejq1nm0v7t6chx0dvfn84q9xw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💌 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN