ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Generator

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — generate a 30-second video from my script idea about product launch — and...

0· 52·0 current·0 all-time
by@mhogan2013-9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description describe cloud video generation and the SKILL.md instructs only about calling a nemo-video API and uploading media — the single required env var (NEMO_TOKEN) is appropriate. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata above lists no required config paths — an inconsistency worth clarifying.
Instruction Scope
Runtime instructions direct the agent to: use NEMO_TOKEN (or obtain an anonymous token via a POST to the nemo API), create a session, upload user media (up to 500MB), drive SSE streams, poll render endpoints, and include attribution headers. All of these are consistent with a cloud-rendering video service. The instructions do not request unrelated system data (shell history, other creds) but they do instruct the agent to detect install path to set X-Skill-Platform, which implies reading local paths — confirm what exact path checks are performed and that no other local files are read.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk. There is no download/extract or third-party package installation described.
Credentials
Only NEMO_TOKEN is required (declared as primaryEnv). The SKILL.md also instructs obtaining an anonymous token when NEMO_TOKEN is absent. This is proportionate to the service. The only concern is the SKILL.md frontmatter listing a config path (~/.config/nemovideo/) that could enable reading local configuration; the top-level manifest lists no config paths — clarify which is authoritative.
Persistence & Privilege
always:false and no special persistent/system-wide privileges requested. The skill can be invoked autonomously by the agent (default) but does not ask for forced always-on presence or to modify other skills' configs.
What to consider before installing
This skill appears to do what its description says (call an external 'nemovideo' API and upload user media), but check the following before installing: 1) Confirm the authoritative metadata: SKILL.md frontmatter includes a config path (~/.config/nemovideo/) even though the registry summary lists none — ask the publisher whether the skill will read that directory. 2) Understand that the skill will contact https://mega-api-prod.nemovideo.ai and will upload any media you provide (up to 500MB); do not upload sensitive videos or private credentials. 3) NEMO_TOKEN is the only required credential; if you must provide it, prefer a scoped or ephemeral token rather than long-lived credentials. 4) The skill can obtain an anonymous token on its own if no NEMO_TOKEN is present — if you want to avoid auto-registration, block outbound calls or require explicit user consent. 5) Because the source and homepage are unknown, prefer to use this in a sandboxed environment or request publisher/source verification before granting access to sensitive data. If the publisher can explain the configPath discrepancy and confirm no other local files are read, confidence would increase.

Like a lobster shell, security has layers — review code before you run it.

latestvk978mejx6dw46tkk92c7xt7cw584q0m7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤖 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments