ClawHub

Json Prompt Video Generator Free

Security checks across malware telemetry and agentic risk

Overview

This is a coherent remote video-generation skill, but it will connect to Nemovideo, use or create an API token, and upload user prompts/files to that provider.

This skill looks purpose-aligned and instruction-only. Before using it, understand that it connects to Nemovideo, may create or use a NEMO_TOKEN, and sends selected prompts/files to remote servers for rendering. Avoid uploading sensitive material unless you trust the provider.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

The agent may use an existing Nemovideo token or create a temporary anonymous provider token to run video jobs.

Why it was flagged

The skill uses a provider token or creates an anonymous token to authenticate to Nemovideo. This is expected for the stated video-generation integration, but it establishes delegated access to a third-party service.

Skill content
If `NEMO_TOKEN` is in the environment, use it directly... Otherwise, acquire a free starter token... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`
Recommendation

Use a token intended for this service, avoid sharing unnecessary account credentials, and review provider terms/privacy expectations before sending content.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Any prompts or files selected for video generation may be processed by Nemovideo's backend.

Why it was flagged

The skill discloses that user-provided prompts/files are uploaded to a remote rendering backend. This is aligned with the skill purpose, but it means local content leaves the user's environment.

Skill content
Upload JSON, TXT, CSV, YAML files up to 200MB... All rendering happens server-side.
Recommendation

Do not upload confidential, regulated, or sensitive files unless you are comfortable with the provider processing them.

#
ASI02: Tool Misuse and Exploitation
Info
What this means

The agent may perform internal API steps such as edits, state checks, or exports as part of the video workflow without showing every technical action.

Why it was flagged

The skill instructs the agent to translate backend GUI-style responses into API actions. This is purpose-aligned orchestration, but it gives provider responses influence over follow-up API calls within the session.

Skill content
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
Recommendation

Review generated results before relying on or sharing them, and ask the agent to explain actions if you need transparency.