ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Team Video Generation

v1.0.0

Turn five short clips recorded by different team members into 1080p merged team video just by typing what you need. Whether it's combining clips from multipl...

0· 57·0 current·0 all-time
by@mhogan2013-9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the actions described (upload clips, remote render, return MP4). The single required credential (NEMO_TOKEN) and endpoints are consistent with a hosted video-rendering service.
Instruction Scope
Instructions stay within the video-rendering scope (authentication, session creation, upload, SSE streaming, render polling). They also direct automatic anonymous token acquisition and storage of session_id, and ask the agent to derive X-Skill-Platform from local install paths — these require the agent to read/write state and query filesystem/location info which is slightly broader than simple request/response handling.
Install Mechanism
Instruction-only skill (no install spec, no code files) — lowest installer risk. All runtime behavior is via HTTPS calls to the described backend.
Credentials
Only NEMO_TOKEN is required (proportionate). However the skill will auto-generate an anonymous token if none is present and implies storing credentials/session data (metadata includes a config path ~/.config/nemovideo/). Registry metadata shown to you earlier did not list a config path, so there's a small inconsistency about what it will read/write.
Persistence & Privilege
always:false and normal autonomous invocation. The skill expects to store session tokens/IDs (and possibly config files under ~/.config/nemovideo/) which is normal for a client of a remote service but does grant persistent local state tied to your account/anonymous token.
What to consider before installing
This skill appears to be a thin client for a remote video-rendering service and will upload whatever media you provide to mega-api-prod.nemovideo.ai. Before installing, consider: 1) Do you trust that external service and its privacy terms? Uploaded clips will be transmitted and rendered remotely. 2) The skill will obtain or use a NEMO_TOKEN — it can auto-generate an anonymous token and store session data (likely under ~/.config/nemovideo/). If you prefer control, pre-set NEMO_TOKEN yourself rather than letting the skill obtain/store it. 3) There is a minor inconsistency: the skill's SKILL.md metadata references a config path but the registry metadata did not — ask the publisher where tokens/sessions are stored and for a homepage/privacy policy. 4) If you need higher assurance, request provenance (who runs the nemovideo backend, privacy policy, and whether uploaded media are retained), or avoid installing until you can verify the service domain and owner identity.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eya5vn3apm8gna3kew91e1d84qx3x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👥 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments