Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Lipsyncvideo Ai
v1.0.1Match audio tracks to lip movements in your videos. lipsyncvideo-ai uploads your clip to a cloud GPU, syncs the audio you provide to the speaker's mouth, and...
⭐ 0· 33·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (lip-sync by uploading video/audio to cloud GPUs) aligns with the runtime instructions that POST uploads and start render jobs on a remote API. However the registry metadata lists NEMO_TOKEN as a required env var while the SKILL.md also documents an anonymous-token endpoint (client-generated UUID) — either approach could be legitimate, but the registry claiming the token is required while the doc provides an anonymous path is an inconsistency worth noting.
Instruction Scope
SKILL.md explicitly instructs the agent to upload user video/audio to https://mega-api-prod.nemovideo.ai, manage sessions, stream SSE messages, and poll rendering status — all expected for this service. It does not ask the agent to read unrelated system files or other credentials. Minor scope creep: it requires adding attribution headers derived from install path, which instructs the agent to inspect its environment/paths to form X-Skill-Platform; that is plausible but gives the skill some discretion about local context.
Install Mechanism
No install script or third-party download is present (instruction-only). That reduces disk-write/exec risk. There is no brew/npm/URL install to review.
Credentials
Only one credential (NEMO_TOKEN) is declared as primary, which is proportionate for an external API. But SKILL.md also references a config path (~/.config/nemovideo/) in its frontmatter while registry metadata earlier listed no required config paths — another metadata mismatch. Also the skill documents an anonymous-token endpoint that issues short-lived tokens; the registry nonetheless marks NEMO_TOKEN as required, which may mislead users into supplying a long-lived token unnecessarily. Because the backend host/source is unverified and no privacy/retention policy is provided, granting a token that allows arbitrary uploads raises privacy concerns.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistent platform privileges. It will create and use session IDs and short-lived tokens (normal for this type of service). It does not declare modifications to other skills or system-wide configs.
What to consider before installing
This skill will upload your videos and audio to an external service (mega-api-prod.nemovideo.ai) for processing — that's expected for a cloud lip-sync tool, but you should only proceed if you're comfortable with that data leaving your device. Before installing or using: 1) Verify the service/provider (there's no homepage or source listed here). 2) Prefer using the anonymous-token flow described in SKILL.md (short-lived token) rather than handing over any unrelated or high-privilege tokens. 3) Ask the publisher about data retention, sharing, and delete policies for uploaded media. 4) Note metadata inconsistencies (registry says NEMO_TOKEN required; SKILL.md documents anonymous tokens and a config path) — confirm whether an env token is actually required. 5) If you handle sensitive footage, test with non-sensitive clips first or run processing through an isolated account. If you want, I can help draft questions to ask the publisher or check network endpoints for further provenance.Like a lobster shell, security has layers — review code before you run it.
latestvk97cx4ezzjvyp16mn2gja1vdax84ev7g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
👄 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN