Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Explainer Video Online
v1.0.0Skip the learning curve of professional editing software. Describe what you want — turn this script into an explainer video with voiceover and animated slide...
⭐ 0· 57·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and the runtime instructions consistently describe a remote explainer‑video service accessed via an API and requiring a single API token (NEMO_TOKEN). The actions (session creation, upload, render, SSE) are coherent with the stated purpose.
Instruction Scope
The SKILL.md tells the agent to read the skill's frontmatter and detect the agent's install path to set X-Skill-Platform, and the frontmatter metadata references a local config path (~/.config/nemovideo/). Probing install paths or arbitrary home paths to derive an attribution header extends the agent's filesystem access beyond what a pure 'upload script → render' flow strictly needs and should be justified. The skill also instructs the agent to upload user files to a third‑party endpoint (expected) — verify user consent and retention policy.
Install Mechanism
This is an instruction‑only skill with no install spec or downloaded code; nothing will be written to disk by an installer as part of skill installation. That minimizes supply‑chain risk.
Credentials
Only a single credential (NEMO_TOKEN) is required, which is appropriate for an API client. However, the frontmatter also lists a config path (~/.config/nemovideo/) which is not declared in the registry metadata summary — a mismatch that could allow the skill to read local configuration files. The skill also instructs obtaining an anonymous token and using/saving it as NEMO_TOKEN; confirm where/how tokens and session IDs are stored.
Persistence & Privilege
The skill is not force‑enabled (always:false) and model invocation is allowed (normal for skills). It asks the agent to persist a session_id and to use/store tokens for subsequent requests, which is expected for session-based APIs but should be transparent to the user.
What to consider before installing
This skill appears to be a legitimate client for a remote explainer‑video API, but there are a few things to confirm before using it:
- Ask the publisher why the SKILL.md frontmatter lists a local config path (~/.config/nemovideo/) while the registry entry shows no required config paths. Confirm whether the skill will read files from that directory and what it contains (tokens, logs, etc.).
- Confirm exactly where NEMO_TOKEN and any anonymous tokens/session IDs are stored (in‑memory only, in an agent config, or written to disk) and how long they remain valid.
- The skill instructs probing install paths (e.g., ~/.clawhub/, ~/.cursor/) to set X-Skill-Platform; ask whether this probing is strictly necessary and what information is derived/exposed by that check.
- Be cautious about uploading sensitive files (private videos, audio, or documents) until you know the provider's retention, sharing, and training policies.
- If you prefer, use ephemeral/limited tokens (anonymous tokens) and avoid providing long‑lived credentials. If you need higher assurance, request a privacy/security statement from the author explaining the filesystem checks and token handling.
If the author can justify the filesystem checks and confirm no undisclosed config/file reads occur, the skill's footprint would be coherent with its purpose; until then, treat it with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk978895y1qwnn21bfn59vs9h8h84qejr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN