ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Video Generator

v1.0.0

Cloud-based free-video-generator tool that handles generating short videos from images or clips without editing software. Upload MP4, MOV, JPG, PNG files (up...

0· 16·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (cloud video generation) align with the single required credential (NEMO_TOKEN) and the documented API endpoints for uploads, render, and credits. The skill's declared primaryEnv (NEMO_TOKEN) is consistent with a service-backed video generator.
Instruction Scope
SKILL.md instructs the agent to authenticate (create anonymous token if missing), create session, upload user files, stream SSE messages, poll render status, and return a download URL — all expected for this purpose. Notable points: it instructs reading the skill's YAML frontmatter and detecting installation path to set X-Skill-Platform (implies filesystem access), and it tells the agent to 'store the returned session_id' and treat NEMO_TOKEN as the active token. It also directs automatic uploads of user media to an external domain (mega-api-prod.nemovideo.ai). These behaviors are coherent with the stated purpose but do involve transmitting user files off-device and reading some local paths.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk. Nothing is downloaded or written to disk by an installer in the package itself.
!
Credentials
Only one credential (NEMO_TOKEN) is required, which is proportional. However: SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata reported no required config paths — this is an inconsistency. The instructions assume the agent can persist or reuse a NEMO_TOKEN (check/skip if set) and store session_id for reuse; depending on the platform, the skill may not be able to persist environment variables between runs. Also the skill will upload user media to a third-party API (privacy/PII risk) — that is expected for this capability but important to confirm before use.
Persistence & Privilege
always:false and no request to modify other skills or system-wide configs. The only persistence implied is keeping session_id and token for API calls; that is a normal, limited runtime requirement. No elevated privileges requested.
What to consider before installing
This skill appears to do what it claims (cloud-based video creation), but before installing or using it: 1) Understand that any images/clips you upload will be sent to the third-party domain mega-api-prod.nemovideo.ai — do not upload sensitive or private content unless you trust that service and its terms/privacy policy. 2) Confirm how your platform handles NEMO_TOKEN and session storage: the SKILL.md assumes the agent can check/set a NEMO_TOKEN and persist session_id between calls; if your environment doesn't persist env vars, behavior may be flaky. 3) Ask the maintainer to clarify the configPaths discrepancy (SKILL.md mentions ~/.config/nemovideo/ but registry metadata shows none) and to provide a homepage or source so you can verify the service. 4) If you need stronger privacy guarantees, avoid using this skill or test with non-sensitive media first. If you want me to, I can draft a short list of questions to send to the skill author or examine any network policy/logs you can provide when the skill runs.

Like a lobster shell, security has layers — review code before you run it.

latestvk9737640mwgde0h8v91c0d77nn84mebx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments