ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Generator Free

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — generate a 30-second video from my product description — and get generated...

0· 45·0 current·0 all-time
by@mhogan2013-9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description match its runtime instructions (it calls a NemoVideo cloud API to upload media, create sessions, stream SSE, and export MP4). However the registry metadata in the manifest lists no required config paths while the SKILL.md frontmatter explicitly references a config path (~/.config/nemovideo/) and install-path detection (~/.clawhub/, ~/.cursor/skills/) used to set X-Skill-Platform headers. That registry ↔ SKILL.md mismatch is an incoherence in declared requirements/provenance. Also the skill has no homepage or source listed (unknown origin).
Instruction Scope
The SKILL.md instructions stay within the stated purpose: they check for NEMO_TOKEN, optionally fetch an anonymous token, create sessions, upload files or URLs, read session state, and run export workflows. The instructions request access only to user-provided files for upload. They do reference detecting install paths for a header value, which could require filesystem inspection, but otherwise do not instruct reading unrelated system files or other credentials.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only, so nothing is written to disk by an installer. This is low-risk from an install-mechanism perspective.
Credentials
The only declared credential is NEMO_TOKEN (primaryEnv). That fits the described cloud API usage. The skill also describes creating an anonymous token if none is present, which is consistent with needing a token. Still: because the skill will upload user media to an external API, users should avoid providing additional unrelated credentials and be aware of where they place NEMO_TOKEN (workspace/global env secrets).
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does not attempt to modify other skills or system-wide settings in the provided instructions.
What to consider before installing
This skill appears to implement what it claims (cloud video generation), but its origin is unknown and there's a small metadata mismatch (SKILL.md references a nemovideo config path while the registry metadata did not). Before installing: 1) Confirm you trust the backend domain (mega-api-prod.nemovideo.ai) and review its privacy/data-retention terms — uploads will be sent to that external service. 2) Prefer using an ephemeral or limited-scope NEMO_TOKEN rather than sharing broader workspace secrets. 3) Expect the skill to create an anonymous token automatically if none is present (100 free credits, 7-day expiry) — don't rely on it for sensitive data. 4) If you need stronger assurance, ask the publisher for source code or a homepage and clarification about the referenced config path and any filesystem access the agent will perform.

Like a lobster shell, security has layers — review code before you run it.

latestvk977mhs8b3wh6tremj7aajxfe184q2qa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments