ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Seedance Lip Sync Generator

v1.0.0

Need to matching mouth movements to a dubbed or replaced audio track? This seedance-lip-sync-generator skill handles AI lip sync generation on a remote backe...

0· 46·0 current·0 all-time
by@mhogan2013-9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: the skill sends video/audio to NemoVideo's remote API to produce lip‑synced output. However, metadata and SKILL.md disagree: the registry lists NEMO_TOKEN as required, while the runtime instructions include an anonymous-token flow if NEMO_TOKEN is absent. SKILL.md metadata also references a config path (~/.config/nemovideo/) even though the registry reported no required config paths.
Instruction Scope
Runtime instructions are explicit about API endpoints, uploads, and SSE handling — all expected for a remote processing skill. They also instruct the agent to read this file's YAML frontmatter (for attribution) and to detect the agent install path on disk to set X-Skill-Platform. Reading install paths and frontmatter implies filesystem access beyond merely accepting user-supplied files; the skill does upload local files or URLs to the third‑party API.
Install Mechanism
No install spec or code files — instruction-only skill. This is lower risk because nothing is written to disk by an installer.
!
Credentials
The skill declares a single primary credential (NEMO_TOKEN), which is proportional for a third‑party API. However, the SKILL.md also documents an anonymous token acquisition flow (POST to /api/auth/anonymous-token) and suggests using or reading config at ~/.config/nemovideo/, creating ambiguity about whether a user-supplied secret is truly required or will be generated/stored automatically. The skill also requires adding attribution headers derived from local metadata/install path — again implying filesystem access not declared as required.
Persistence & Privilege
The skill is not force-enabled (always:false) and can be invoked normally. It instructs creating and keeping a session_id for operations; it does not clearly state whether session_id or tokens are persisted to disk (but metadata hints at a config path). Clarify whether any credentials or session state are stored on disk and where.
What to consider before installing
This skill will upload your video and audio to a third‑party service (mega-api-prod.nemovideo.ai) for processing — if your media is sensitive, don’t send it until you trust the provider and their retention/privacy policies. Before installing or using: - Ask the publisher whether NEMO_TOKEN must be provided or whether the skill will always obtain and store an anonymous token; if it stores tokens/session IDs on disk, ask where and for how long. - Confirm whether anything is written to ~/.config/nemovideo/ or other config paths and whether uploads are retained. - If you’re concerned about exposing credentials or files, use a disposable/test token and test with non-sensitive media first. - If you need stronger guarantees, prefer a local/offline tool or a vetted vendor with documented privacy/retention policies. Given the metadata/instruction inconsistencies (declared required env vs anonymous token flow, and configPath mentions), request clarification from the skill author before granting access to real media or secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk975daj32y23yst6q3jdtvpw1984e5jk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎙️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments