ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Text To Best

v1.0.0

Get polished video clips ready to post, without touching a single slider. Upload your text prompt (TXT, DOCX, PDF, plain text, up to 500MB), say something li...

0· 40·0 current·0 all-time
by@mhogan2013-9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a text→video generator and only requests a NEMO_TOKEN (the service token) and references a nemovideo config path in the SKILL.md frontmatter. That matches its stated purpose. Minor inconsistency: the registry summary shows no required config paths, while the SKILL.md metadata lists ~/.config/nemovideo/ — this is likely a bookkeeping mismatch but worth noting.
Instruction Scope
Runtime instructions stay within the video generation workflow: create/refresh a session, send SSE messages, upload user files (multipart or URL), query credits/state, and poll export results. The agent is instructed to include the service token in Authorization headers and to avoid printing tokens/raw JSON. No instructions ask the agent to read unrelated system files or other credentials.
Install Mechanism
No install steps or downloaded code are present (instruction-only). That minimizes on-disk risk.
Credentials
Only NEMO_TOKEN is declared as required. The SKILL.md also describes creating an anonymous token via the service if no token is present, so a preexisting secret is optional. The only small surprise is the SKILL.md metadata claiming a config path (~/.config/nemovideo/) despite the registry metadata reporting none; this is likely non-critical but inconsistent.
Persistence & Privilege
The skill does not request always: true and does not modify other skills. It asks the agent to store session_id for job polling, which is normal for a long-running cloud render workflow.
Assessment
This skill appears to do what it says: it uploads your text and any files you provide to nemo's cloud API and returns rendered video URLs. Before installing or using it, consider: (1) NEMO_TOKEN (or an anonymous token) grants the skill access to the nemo service and any associated account credits — treat it like a credential. (2) Uploaded files and prompts are sent to https://mega-api-prod.nemovideo.ai — don't send sensitive private data unless you trust that service. (3) The SKILL.md and registry metadata disagree about a config path (~/.config/nemovideo/) — this is likely harmless but you may want to confirm what local files (if any) the skill will read. (4) No other external endpoints or unrelated credentials are requested. If you need stronger assurance, ask the publisher for a privacy policy or inspect network logs during a test run.

Like a lobster shell, security has layers — review code before you run it.

latestvk975sr4ja87wxdr145nf1tgdxx84n66g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✍️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments