ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Maker In Free

v1.0.0

create images or clips into finished MP4 videos with this skill. Works with MP4, MOV, JPG, PNG files up to 500MB. content creators and small business owners...

0· 47·0 current·0 all-time
by@linmillsd7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill name/description match the required credential (NEMO_TOKEN) and the described API endpoints for uploading, rendering, and downloading video. Minor inconsistency: the registry metadata you provided lists no required config paths, but the SKILL.md frontmatter declares a configPaths entry (~/.config/nemovideo/). This mismatch is small but worth noting.
Instruction Scope
SKILL.md instructions stay within the video-rendering scope: checking for NEMO_TOKEN, obtaining an anonymous token from the provider if absent, creating a session, uploading files, using SSE for interactive commands, and polling for export results. It does instruct detecting install path (~/.clawhub/, ~/.cursor/skills/) to populate an X-Skill-Platform header, which requires reading the agent's filesystem layout; otherwise, it does not direct the agent to read unrelated files or extra environment variables.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest-risk install pattern and consistent with the skill type.
Credentials
Only NEMO_TOKEN is declared as required. The SKILL.md explains how to obtain an anonymous NEMO_TOKEN via the provider's auth endpoint if not present (100 free credits, 7-day expiry). That behavior is coherent with the purpose, but it does mean the skill will contact an external service to mint a credential automatically if the environment lacks one — consider whether you want the agent to obtain/store such tokens for you. The SKILL.md's configPaths entry may imply writing configuration under ~/.config/nemovideo/.
Persistence & Privilege
The skill is not always-on and does not request system-wide privileges or modification of other skills. It only asks to hold a session_id for active operations (ephemeral). Autonomous invocation is enabled (normal), but there is no evidence of persistent privileged behavior beyond potential local config storage under the declared config path.
Assessment
This skill appears internally consistent for a cloud video-rendering integration, but before installing consider: 1) Source and provenance are unknown (no homepage), so verify you trust the domain mega-api-prod.nemovideo.ai before sending media. 2) The skill will, if no NEMO_TOKEN is present, call the provider to mint an anonymous token and then upload files to their backend — do not use sensitive or private videos unless you trust their service and privacy policy. 3) The SKILL.md mentions a config path (~/.config/nemovideo/) and will detect install paths to populate headers; check where (and whether) tokens or session IDs would be stored on disk. 4) If you need to limit network actions, disable autonomous invocation or run the skill in a sandbox and test with non-sensitive sample files first. If you want more confidence, ask the owner for a homepage or source code, or request explicit details about token persistence and data retention from the service operator.

Like a lobster shell, security has layers — review code before you run it.

latestvk972hdgr1nxz901yneenrt3r0s84rfj4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments