ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Promo

v1.0.0

create video clips into polished promo videos with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. marketers use it for turning long videos int...

0· 49·0 current·0 all-time
by@linmillsd7
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to create promo videos and its runtime instructions perform uploads and rendering on a cloud API, which is coherent. However, the registry metadata marks NEMO_TOKEN as a required env var while the SKILL.md explicitly documents an anonymous-token flow (generate UUID → POST /api/auth/anonymous-token) that yields a temporary token. Declaring NEMO_TOKEN as required is inconsistent with the instructions. The SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) but the registry said no required config paths—this mismatch is unexplained.
!
Instruction Scope
The instructions tell the agent to upload user video/audio/image files to https://mega-api-prod.nemovideo.ai and to include several custom headers derived from local install paths. Uploading user media to a third-party service is expected for this functionality, but the skill will transmit user files and session/auth tokens off-device. The skill also instructs saving session_id and using/creating tokens; it's unclear where (disk, memory) these are stored. The instructions are fairly prescriptive (endpoints, headers, polling), which is normal, but you should be aware that sensitive files will be sent to an external host and some environment/installation metadata may be transmitted in headers.
Install Mechanism
No install script or code files are present; the skill is instruction-only. That minimizes installation risk (nothing is downloaded or written by an installer).
!
Credentials
The skill declares a single primary credential (NEMO_TOKEN) which is appropriate for a remote API. However, SKILL.md describes an anonymous token flow that removes the need for a pre-existing NEMO_TOKEN. Requiring NEMO_TOKEN in registry metadata despite providing a built-in anonymous flow is inconsistent and could coerce users into supplying a persistent credential unnecessarily. The instructions also require sending X-Skill-Platform derived from install paths, which may leak local path information.
Persistence & Privilege
always:false and autonomous invocation are standard. The skill instructs saving session_id and may write to a config path (~/.config/nemovideo/) per its frontmatter; the registry did not declare that path as required. Ask the developer whether the agent will persist tokens/session info to disk and where.
What to consider before installing
Before installing: (1) Understand that using the skill will upload your video/audio/image files to https://mega-api-prod.nemovideo.ai — do not use it for sensitive or private footage unless you trust that provider and have reviewed its privacy policy. (2) The registry marks NEMO_TOKEN as required, but the skill can generate a temporary anonymous token itself; avoid setting a persistent NEMO_TOKEN in your environment unless you want the skill to have long-term access. (3) Clarify with the author whether session tokens or session_id are persisted to disk (the SKILL.md mentions a config path but the registry metadata omits it). (4) Ask the maintainer to explain why X-Skill-Platform must be derived from local install paths (this can leak environment info) and whether those headers are strictly necessary. (5) If you proceed, test with non-sensitive media and monitor what files and headers are sent. If the answers to the above are unclear or unsatisfactory, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📣 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN
latestvk9757cfr8sajvq08frvn8hzp9h857hfn
49downloads
0stars
1versions
Updated 1d ago
v1.0.0
MIT-0
@linmillsd7
latest
Download

Getting Started

Share your video clips and I'll get started on AI promo creation. Or just tell me what you're thinking.

Try saying:

  • "create my video clips"
  • "export 1080p MP4"
  • "cut this into a 30-second promo"

Automatic Setup

On first interaction, connect to the processing API before doing anything else. Show a brief status like "Setting things up...".

Token: If NEMO_TOKEN environment variable is already set, use it and skip to Session below.

Free token: Generate a UUID as client identifier, then POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token with header X-Client-Id: <uuid>. The response field data.token becomes your NEMO_TOKEN (100 credits, 7-day expiry).

Session: POST to https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent with Bearer auth and body {"task_name":"project"}. Save session_id from the response.

Confirm to the user you're connected and ready. Don't print tokens or raw JSON.

Video Promo — Create and Export Promo Videos

Send me your video clips and describe the result you want. The AI promo creation runs on remote GPU nodes — nothing to install on your machine.

A quick example: upload a 2-minute product demo video, type "cut this into a 30-second promo with music and text overlays", and you'll get a 1080p MP4 back in roughly 1-2 minutes. All rendering happens server-side.

Worth noting: keep source clips under 3 minutes for faster processing and tighter promos.

Matching Input to Actions

User prompts referencing video promo, aspect ratio, text overlays, or audio tracks get routed to the corresponding action via keyword and intent classification.

User says...ActionSkip SSE?
"export" / "导出" / "download" / "send me the video"→ §3.5 Export
"credits" / "积分" / "balance" / "余额"→ §3.3 Credits
"status" / "状态" / "show tracks"→ §3.4 State
"upload" / "上传" / user sends file→ §3.2 Upload
Everything else (generate, edit, add BGM…)→ §3.1 SSE

Cloud Render Pipeline Details

Each export job queues on a cloud GPU node that composites video layers, applies platform-spec compression (H.264, up to 1080x1920), and returns a download URL within 30-90 seconds. The session token carries render job IDs, so closing the tab before completion orphans the job.

All calls go to https://mega-api-prod.nemovideo.ai. The main endpoints:

  1. SessionPOST /api/tasks/me/with-session/nemo_agent with {"task_name":"project","language":"<lang>"}. Gives you a session_id.
  2. Chat (SSE)POST /run_sse with session_id and your message in new_message.parts[0].text. Set Accept: text/event-stream. Up to 15 min.
  3. UploadPOST /api/upload-video/nemo_agent/me/<sid> — multipart file or JSON with URLs.
  4. CreditsGET /api/credits/balance/simple — returns available, frozen, total.
  5. StateGET /api/state/nemo_agent/me/<sid>/latest — current draft and media info.
  6. ExportPOST /api/render/proxy/lambda with render ID and draft JSON. Poll GET /api/render/proxy/lambda/<id> every 30s for completed status and download URL.

Formats: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.

Headers are derived from this file's YAML frontmatter. X-Skill-Source is video-promo, X-Skill-Version comes from the version field, and X-Skill-Platform is detected from the install path (~/.clawhub/ = clawhub, ~/.cursor/skills/ = cursor, otherwise unknown).

All requests must include: Authorization: Bearer <NEMO_TOKEN>, X-Skill-Source, X-Skill-Version, X-Skill-Platform. Missing attribution headers will cause export to fail with 402.

Draft field mapping: t=tracks, tt=track type (0=video, 1=audio, 7=text), sg=segments, d=duration(ms), m=metadata.

Timeline (3 tracks): 1. Video: city timelapse (0-10s) 2. BGM: Lo-fi (0-10s, 35%) 3. Title: "Urban Dreams" (0-3s)

Translating GUI Instructions

The backend responds as if there's a visual interface. Map its instructions to API calls:

  • "click" or "点击" → execute the action via the relevant endpoint
  • "open" or "打开" → query session state to get the data
  • "drag/drop" or "拖拽" → send the edit command through SSE
  • "preview in timeline" → show a text summary of current tracks
  • "Export" or "导出" → run the export workflow

Reading the SSE Stream

Text events go straight to the user (after GUI translation). Tool calls stay internal. Heartbeats and empty data: lines mean the backend is still working — show "⏳ Still working..." every 2 minutes.

About 30% of edit operations close the stream without any text. When that happens, poll /api/state to confirm the timeline changed, then tell the user what was updated.

Error Codes

  • 0 — success, continue normally
  • 1001 — token expired or invalid; re-acquire via /api/auth/anonymous-token
  • 1002 — session not found; create a new one
  • 2001 — out of credits; anonymous users get a registration link with ?bind=<id>, registered users top up
  • 4001 — unsupported file type; show accepted formats
  • 4002 — file too large; suggest compressing or trimming
  • 400 — missing X-Client-Id; generate one and retry
  • 402 — free plan export blocked; not a credit issue, subscription tier
  • 429 — rate limited; wait 30s and retry once

Tips and Tricks

The backend processes faster when you're specific. Instead of "make it look better", try "cut this into a 30-second promo with music and text overlays" — concrete instructions get better results.

Max file size is 500MB. Stick to MP4, MOV, AVI, WebM for the smoothest experience.

Export as MP4 for widest compatibility across social and ad platforms.

Common Workflows

Quick edit: Upload → "cut this into a 30-second promo with music and text overlays" → Download MP4. Takes 1-2 minutes for a 30-second clip.

Batch style: Upload multiple files in one session. Process them one by one with different instructions. Each gets its own render.

Iterative: Start with a rough cut, preview the result, then refine. The session keeps your timeline state so you can keep tweaking.

Comments

Loading comments...