ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dance Video

v1.0.0

Turn a 2-minute phone recording of a dance routine into 1080p polished dance clips just by typing what you need. Whether it's editing dance footage with beat...

0· 42·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (cloud AI video editing) align with the API endpoints and the single required credential (NEMO_TOKEN). However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) and logic to inspect install directories (~/.clawhub/, ~/.cursor/skills/) that are not reflected in the registry 'Requirements' section — an inconsistency worth clarifying.
!
Instruction Scope
Runtime instructions direct the agent to obtain anonymous tokens, create sessions, upload user video files, poll render jobs, and derive headers by inspecting local install paths. Inspecting filesystem paths to set X-Skill-Platform and writing/storing session state in a local config folder are out-of-band relative to a pure chat-forwarding integration and raise privacy/operational scope questions (where is session stored, what else is read?). The SKILL.md also instructs not to display raw API responses or token values to the user, which is reasonable for safety but also reduces transparency.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That reduces install-time risk.
Credentials
Only one environment variable is declared (NEMO_TOKEN), which matches the described API usage. However the skill describes generating/storing anonymous tokens and references a local config directory in its frontmatter; it's unclear whether session tokens will be persisted on disk and where. The declared registry metadata said no config paths, but SKILL.md implies ~/.config/nemovideo/, so confirm what will actually be stored and accessible.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. Still, it instructs the agent to create and retain session IDs and may persist state (frontmatter mentions a config path). Confirm whether session tokens are stored persistently and whether they are scoped/rotated — persistent credentials combined with autonomous invocation could increase blast radius.
What to consider before installing
This skill appears to call an external video-rendering API (mega-api-prod.nemovideo.ai) and can generate anonymous tokens if you don't supply NEMO_TOKEN. Before installing or using it: 1) Verify the API domain and the service's privacy/security posture (is nemovideo.ai a service you trust?). 2) Clarify where session tokens are stored (SKILL.md suggests a config path but registry metadata omits it). If tokens are persisted to ~/.config/nemovideo/, know that anyone with access to that path could use them. 3) The skill may inspect paths like ~/.clawhub/ or ~/.cursor/skills/ to populate headers — if you prefer to avoid exposing filesystem layout, ask the developer to remove that behavior. 4) Prefer using an account/token with limited scope or a disposable account for testing; avoid supplying sensitive credentials or documents. 5) Because this is instruction-only (no code reviewable here), consider testing in an isolated environment (VM/container) and confirm responses and stored files before trusting it with private footage or long-lived credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk978fpm73exfcv10r857yd96ex84qqyw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💃 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments