Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Free Video Generation Comfyui
v1.0.0generate text prompts or images into AI-generated video clips with this skill. Works with PNG, JPG, MP4, WebM files up to 200MB. indie creators and ComfyUI e...
⭐ 0· 11·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (ComfyUI-style free video generation) matches the API calls and flows in SKILL.md. Requiring a single NEMO_TOKEN is proportionate for an external render API. However, the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this discrepancy is unexplained and worth clarifying.
Instruction Scope
Runtime instructions tell the agent to obtain or use NEMO_TOKEN, create sessions, upload local files (multipart with local file paths or URLs), and poll SSE endpoints. That is expected for a cloud-render skill. Concerns: (1) the doc instructs to 'save session_id' and to use/issue tokens (anonymous-token flow) but does not specify where/how to persist them (in-memory vs disk), (2) it tells the agent to detect install path by probing home directories (~/.clawhub/, ~/.cursor/skills/), which requires reading the user's filesystem beyond just the files the user intentionally uploads. These behaviors increase the chance that tokens or IDs could be persisted or that the skill will read unexpected files.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk. No downloads or package installs are requested.
Credentials
Only NEMO_TOKEN is declared as required (primary credential), which is consistent with calling the nemo API. The SKILL.md also defines an anonymous-token flow when NEMO_TOKEN is absent (generating a client UUID and exchanging it for a short-lived token) — reasonable but means the skill can obtain credentials autonomously. The mismatch between the registry's 'no config paths' and the SKILL.md frontmatter listing ~/.config/nemovideo/ is unexplained and should be clarified (could indicate where tokens/sessions are saved).
Persistence & Privilege
The skill does not set always:true and allows model invocation (normal). However, instructions explicitly say to 'save session_id' and to reuse or refresh tokens (anonymous or provided). Because the skill is instruction-only the mechanism/location for persistence is unclear — if the agent stores NEMO_TOKEN or session IDs to disk (e.g., ~/.config/nemovideo/), that raises longer-term persistence/privacy concerns. No explicit request to modify other skills or system-wide settings is present.
What to consider before installing
This skill generally does what it says (calls an external rendering API), but check these before installing: 1) Confirm you trust the API host (mega-api-prod.nemovideo.ai) because your uploads (images, video) and any token will be sent there. 2) Prefer using a throwaway/anonymous token rather than a long-lived or high-privilege token; the skill can generate a short-lived anonymous token automatically. 3) Ask the author how/where tokens and session IDs are persisted — the SKILL.md suggests saving session IDs and references a config path in its frontmatter; if they are written to disk (e.g., ~/.config/nemovideo/) consider the privacy implications. 4) If you do not want the skill to probe your home directories for install-path detection, do not grant filesystem access or run it in a restricted environment. 5) If unsure about the domain or persistence behavior, do not install or only test in an isolated account/environment.Like a lobster shell, security has layers — review code before you run it.
latestvk97ek0vg1h46rgcnv82jj95fc184rc9b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN