ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Text To Ai

v1.0.0

convert text prompts into AI generated videos with this skill. Works with TXT, DOCX, PDF, copied text files up to 500MB. marketers use it for generating vide...

0· 57·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the runtime instructions: the SKILL.md describes sending text to a remote rendering API and returning MP4s. The only requested credential is NEMO_TOKEN which matches the API usage. Minor inconsistency: the SKILL.md frontmatter metadata lists a config path (~/.config/nemovideo/) but the registry metadata shows no required config paths — this mismatch should be clarified.
Instruction Scope
Instructions are detailed and stay within the stated purpose (session creation, SSE messaging, uploads, export/polling). They instruct the agent to use NEMO_TOKEN if present or to POST for an anonymous token. They also instruct reading the SKILL.md frontmatter and detecting install path to set attribution headers. The skill does not instruct reading unrelated system files or other credentials, but the referenced config path in frontmatter implies it may check user config (~/.config/nemovideo/) which the registry did not declare.
Install Mechanism
No install spec and no code files — instruction-only skill. This is low-risk from an install standpoint (nothing is downloaded or written by the skill itself).
Credentials
Only one credential is declared (NEMO_TOKEN) which is appropriate for an API-backed video service. The SKILL.md also supports anonymous tokens obtained at runtime, so a provided NEMO_TOKEN is optional. Confirm whether the skill will read ~/.config/nemovideo/ or other config paths (frontmatter lists one) before supplying sensitive credentials.
Persistence & Privilege
The skill is not forced-always and does not request elevated persistent privileges. It does queue remote render jobs but does not request modification to other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (send text to a cloud renderer and return video files) and is instruction-only (no installer or code). However: (1) the skill will call an external API (mega-api-prod.nemovideo.ai) and will either use your NEMO_TOKEN or fetch an anonymous token automatically — do not provide sensitive credentials unless you trust the service; (2) the SKILL.md metadata references a config path (~/.config/nemovideo/) that the registry did not declare — ask the publisher what it reads from that location; (3) the skill source is unknown and no homepage is provided, so prefer testing with non-sensitive/sample text first. If you decide to install, consider using the anonymous token path or a disposable project token rather than your primary account token.

Like a lobster shell, security has layers — review code before you run it.

latestvk972zfs71q5w6fnjzvyra4gk0n84nk0s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✍️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments