ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Generator Online Free

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — generate a 60-second video from my product description — and get ready-to-...

0· 54·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with code-free cloud video generation and the SKILL.md instructs calls to a nemo-video backend for upload, render, and export — that is coherent. However, the registry metadata shown to you lists no config paths while the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/), an inconsistency that could indicate sloppy packaging or hidden local-file access.
Instruction Scope
Instructions are focused on network calls to mega-api-prod.nemovideo.ai (session, SSE chat, upload, export) and on uploading user media — this matches the stated purpose. The skill does not instruct broad local file system reads beyond the single config path in the frontmatter. It also instructs automatic anonymous-token acquisition if NEMO_TOKEN is absent, so it can operate without pre-provided credentials.
Install Mechanism
No install spec and no code files (instruction-only) — lowest risk from installation. All runtime behavior is via HTTP calls described in SKILL.md.
!
Credentials
The skill declares NEMO_TOKEN as a required/primary env var, which is reasonable for a paid API token. But the SKILL.md also describes an anonymous-token flow that obtains a token without any secret, making the 'required' designation questionable. Additionally, the presence of configPaths in SKILL.md (but not in registry requirements) is inconsistent and could enable reading local config if implemented, so the credential/config access scope is unclear.
Persistence & Privilege
always:false and no requests to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with elevated persistent privileges.
What to consider before installing
This skill appears to do what it says (upload media, create a session, render on nemovideo.ai), but there are a few things to consider before installing: - Privacy: uploads (videos/images/audio) will be sent to https://mega-api-prod.nemovideo.ai; do not send sensitive or regulated content unless you trust their service and reviewed its privacy policy. - Credentials: it lists NEMO_TOKEN as required but will also obtain an anonymous token if none is present — avoid storing long-lived or high-privilege tokens here unless necessary. Prefer using a limited/ephemeral token if possible. - Inconsistency: SKILL.md frontmatter references a local config path (~/.config/nemovideo/) while registry metadata did not — confirm whether the skill actually reads local files. That could expose local data. - Origin: there is no homepage and the source is unknown; consider verifying the publisher or testing in an isolated environment first. - If you plan to allow autonomous runs, remember the agent may upload files without prompting; restrict what the agent can access or keep autonomous invocation off if you want tighter control.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f9rj6t7vfvhase1gwepemf984nfv1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments