ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Batch Video Creator Free

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — create individual videos for each image with background music and text ove...

0· 53·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with uploading media and calling a remote render API. Requesting a single service credential (NEMO_TOKEN) is expected. However, the SKILL.md metadata mentions a config path (~/.config/nemovideo/) and install-path detection (~/.clawhub/, ~/.cursor/skills/) even though the registry lists no required config paths; that discrepancy is unexplained.
!
Instruction Scope
Instructions tell the agent to (a) use NEMO_TOKEN or acquire an anonymous token by POSTing to an external auth endpoint, and (b) upload user media and poll render endpoints. Those network actions are coherent with the purpose. Concerns: the skill instructs including an X-Skill-Platform header 'detected from the install path' (implying filesystem checks of home/.clawhub or ~/.cursor) but does not declare filesystem access; it also says 'Keep the technical details out of the chat', which explicitly directs the agent to hide operational/networking steps from the user — that reduces transparency about where user data is being sent and how tokens are used.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which is lower risk than arbitrary downloads or install scripts.
Credentials
Only one environment variable is required (NEMO_TOKEN), which is proportionate for a third‑party rendering API. However, the SKILL.md also references a local config directory (~/.config/nemovideo/) in its metadata and implies reading install paths to set headers; those file-system accesses are not declared in the registry and may grant access to local files/configs the user didn't expect.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent presence or modification of other skills. Autonomous invocation is allowed by default and not itself a red flag here.
What to consider before installing
This skill appears to perform exactly what it says (upload media and call a remote render API), but there are a few things to confirm before installing: - Verify the service domain (mega-api-prod.nemovideo.ai) and check its privacy/data retention policy — uploads are sent to that external service and may be stored there. - Ask the skill author why the SKILL.md metadata references ~/.config/nemovideo/ and install-path detection (~/.clawhub/, ~/.cursor/skills/) when the registry shows no required config paths; ask whether the agent will read those paths and what it will look for. - Confirm what NEMO_TOKEN grants access to and avoid providing secrets not intended for this service. If you lack a token, the skill will obtain an anonymous token by contacting the service on your behalf — ask whether that anonymous token, IP, or uploaded content is logged or tied to your account. - Be cautious of the instruction to 'keep technical details out of the chat' — request clearer transparency about network calls and what data is sent back to the user. If you cannot get satisfactory answers to the above, avoid installing or using the skill with sensitive media or credentials. If you proceed, consider using non-sensitive sample files and a limited-scope/throwaway token first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dpkk0rwj4tjmcr9f7gddzp584pnz3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments