Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Vue Component Generator Online
v1.0.0Skip the learning curve of professional editing software. Describe what you want — generate a reusable Vue 3 component with props, emits, and scoped styles —...
⭐ 0· 39·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description emphasize generating reusable Vue 3 components (code), but the SKILL.md details a cloud video rendering pipeline (upload MP4/MOV, SSE chat, export/poll for video URLs) and endpoints at mega-api-prod.nemovideo.ai. Requiring a NEMO_TOKEN and describing render/export endpoints is coherent for a video service but is disproportionate or at least unclear for a pure 'Vue component generator'. This mismatch could be legitimate (e.g., the service returns demo videos of components) but is not explained in the description.
Instruction Scope
The instructions require contacting remote APIs (session creation, SSE chat, uploads, exports) and sending user-provided media and text to nemovideo.ai. They do not instruct reading arbitrary local files or unrelated env vars beyond NEMO_TOKEN, but they do ask the agent to 'Save session_id' and include attribution headers. Important: the agent will transmit user content (descriptions and possibly uploaded media) to a third-party service — ensure users consent to remote processing of potentially sensitive content.
Install Mechanism
This is instruction-only with no install spec or third-party downloads, so nothing is written to disk by an installer. That lowers installation risk.
Credentials
The skill requires a single credential NEMO_TOKEN (declared primary credential), which matches the described API auth. However, the frontmatter metadata also references a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this inconsistency is unexplained. Also, the token controls rendering/credits on the remote service; providing it could allow the service to consume account credits or perform actions on the user's remote account, so users should treat it as sensitive.
Persistence & Privilege
always:false (normal). The skill instructs generating an ephemeral anonymous token if NEMO_TOKEN is absent and saving session_id for ongoing jobs; it doesn't explicitly instruct persistent system changes. Autonomous invocation is allowed (platform default). Combined with the need to call external APIs and possibly persist session IDs, the agent could continue remote jobs without further user prompts — users should be aware of remote job lifecycle and billing implications.
What to consider before installing
This skill routes user input and uploaded media to a third-party cloud API (mega-api-prod.nemovideo.ai) using a NEMO_TOKEN. Before installing or using it, consider: (1) Why does a "Vue component generator" need a video-rendering service? Ask the author for clarification or a homepage/source; (2) The NEMO_TOKEN is sensitive — it can authorize render jobs and consume credits. Prefer an ephemeral or limited token and avoid sharing other secrets; (3) User-provided text and files (videos, images) will be uploaded to a remote service — do not send confidential data unless you trust the service/privacy policy; (4) The skill metadata mentions a local config path (~/.config/nemovideo/) that wasn’t declared elsewhere — confirm whether the agent will read local files; (5) If you need stronger assurance, request the skill’s source or homepage, or ask the maintainer to explain how code generation outputs (Vue code) are returned and why video rendering endpoints are involved. Additional information that would raise confidence to high: an authoritative homepage/source, an explicit explanation tying video rendering to code generation, or example API responses and a privacy/billing statement.Like a lobster shell, security has layers — review code before you run it.
latestvk9774j39twnhh5xfvnag2tpydd84qv0k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚙️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN