Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Maker Ai Ai
v1.0.0Turn a 60-second product demo recording into 1080p polished MP4 videos just by typing what you need. Whether it's generating finished videos from raw clips u...
⭐ 0· 51·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a cloud video maker and all network calls target a video backend (mega-api-prod.nemovideo.ai), which is coherent. However, registry metadata declares NEMO_TOKEN as a required primary env var while the SKILL.md explicitly describes auto-obtaining an anonymous token if NEMO_TOKEN is absent. Also the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) and logic to detect install paths for attribution, but the registry-level required config paths are 'none' — this mismatch suggests metadata and runtime instructions are not fully aligned.
Instruction Scope
Runtime instructions direct the agent to upload user media and run render/export workflows on the remote service (expected). They also instruct reading the skill's frontmatter (to populate attribution headers) and detecting install paths (~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform; detecting install paths implies reading filesystem locations in the user's home directory, which expands scope beyond pure network calls. The instructions otherwise stay within the stated video creation purpose.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is written to disk by an installer. That is lower-risk compared with skills that download and extract binaries.
Credentials
Only NEMO_TOKEN is declared. That is reasonable for a third-party API, but the SKILL.md describes generating an anonymous token via a POST to the backend when NEMO_TOKEN is absent (100 free credits, 7-day expiry), which makes the registry declaration 'required' ambiguous. The skill does not request unrelated secrets, but the mismatch (required vs optional via anonymous flow) should be clarified.
Persistence & Privilege
The skill does not request 'always: true' and does not claim to modify other skills. However it instructs reading local install paths and possibly a user config directory (~/.config/nemovideo/), which are modest filesystem accesses beyond purely sending requests. The skill also instructs making repeated network calls and polling exports; that is expected for its function.
What to consider before installing
This skill sends your uploaded media and API calls to mega-api-prod.nemovideo.ai and uses a NEMO_TOKEN bearer token. Before installing or using it: 1) Confirm you trust the nemovideo domain and are comfortable uploading any media (it will leave your machine). 2) Note the registry says NEMO_TOKEN is required but the SKILL.md describes an anonymous-token flow—ask the publisher which is intended and whether tokens are stored or only used in-memory. 3) The skill may read install paths and a ~/.config/nemovideo/ path for attribution/platform detection—if you have sensitive files in those locations, be cautious. 4) The skill has no source/homepage or code to inspect (instruction-only from an unknown owner); prefer skills from known publishers or request the source and privacy policy before sending sensitive content. If you proceed, consider creating an anonymous account or using disposable/test media first.Like a lobster shell, security has layers — review code before you run it.
latestvk97bdp68cgyzxdwhjvxct1kfw984mwyh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN