ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Text To Video Generator Ai

v1.0.0

generate text prompts into AI-generated videos with this free-text-to-video-generator-ai skill. Works with TXT, DOCX, PDF, copied text files up to 500MB. mar...

0· 58·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description match its runtime instructions: it uses a single external video-generation service (mega-api-prod.nemovideo.ai) and requires a service token. Minor inconsistency: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths.
!
Instruction Scope
Instructions tell the agent to check for NEMO_TOKEN and — if absent — automatically contact an external endpoint to obtain an anonymous token (POST to https://mega-api-prod.nemovideo.ai). It also instructs hiding raw API responses and token values from the user. The skill will upload user text and files (up to 500MB) and set attribution headers derived from local install paths (it expects to detect ~/.clawhub or ~/.cursor). These behaviors expand scope beyond simple prompt handling (automatic network auth, potential environment/platform fingerprinting, and suppressed API output).
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest install risk.
Credentials
Only one environment variable (NEMO_TOKEN) is declared as required, which is proportionate for a cloud API-backed video service. However, the skill's instructions will auto-generate and store an anonymous token if none is present, and require adding Authorization and attribution headers. The metadata/frontmatter also references a config path (~/.config/nemovideo/) which is not reflected in registry metadata—an inconsistency to be aware of.
Persistence & Privilege
The skill is not always-enabled and does not request special platform privileges. It will run network calls and can be invoked autonomously (default for skills), but there is no 'always: true' or other elevated persistence requested.
What to consider before installing
This skill appears to be a straightforward connector to a third‑party video rendering API, but it will: (1) contact https://mega-api-prod.nemovideo.ai to obtain or use an API token, (2) upload user text/files (potentially large, up to stated 500MB) to that service, and (3) add attribution headers that may reveal which platform/path the agent is running on. Before installing, consider whether you trust nemovideo.ai with your content and metadata. If you do not want the agent to auto-request an anonymous token, pre-set a token in NEMO_TOKEN or decline to install. Note the small metadata inconsistency about a config path in the skill file—ask the publisher to clarify where/if any files will be written locally and why raw API responses are being suppressed.

Like a lobster shell, security has layers — review code before you run it.

latestvk973fwdhgekxa3vsdc2ceb9tvn84jprz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments