ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Maker

v1.0.0

Get polished MP4 videos ready to post, without touching a single slider. Upload your video clips or images (MP4, MOV, AVI, WebM, up to 500MB), say something...

0· 51·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with a cloud video rendering service and the SKILL.md describes appropriate API calls (session, upload, render, export). Requesting a service token (NEMO_TOKEN) is expected for this purpose. However the SKILL.md embeds extra metadata (a configPaths entry) that does not match the registry metadata (which listed no config paths), creating a mismatch about what filesystem access the skill expects.
!
Instruction Scope
Instructions direct the agent to: read this file's frontmatter for attribution headers (reasonable), detect the agent install path pattern (e.g., ~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform (this requires probing the filesystem or agent environment), generate and store an anonymous token if NEMO_TOKEN is absent, save session_id, upload user-provided video/audio files to an external domain, and send bearer auth headers on every API call. Most of these actions are within the stated purpose, but the filesystem probing and implicit persistence of session state are not declared in the registry metadata and should be explicit.
Install Mechanism
Instruction-only skill with no install spec or code files — low installation risk. Nothing is downloaded or written by an install step according to the registry.
Credentials
Only one credential (NEMO_TOKEN) is declared as required and is appropriate for accessing the remote rendering API. The SKILL.md also suggests a config path (~/.config/nemovideo/) in its internal metadata; the registry lists no required config paths. This mismatch should be resolved. Also, the agent is instructed to POST an anonymous-token endpoint to create a short-lived NEMO_TOKEN if none exists — that is a reasonable fallback but means the skill can obtain a token on behalf of the user if they don't supply one.
Persistence & Privilege
always:false and no install steps. The skill instructs saving a session_id for ongoing renders (expected) but does not request permanent always-on privileges or modification of other skills. The autonomy default (model invocation allowed) is normal and not flagged on its own.
What to consider before installing
This skill appears to be a straightforward cloud video-renderer, but before installing or using it: - Verify the skill's source/owner and prefer skills with a homepage or repo. This one has unknown source and no homepage. - Only provide a NEMO_TOKEN if you trust the nemovideo.ai service; if unsure, let the skill generate an anonymous token (short-lived, limited credits) rather than entering a long-lived token. - Expect your uploaded video/audio files to be transmitted to https://mega-api-prod.nemovideo.ai — do not upload private/sensitive footage unless you trust that endpoint and its data-retention policy. - The SKILL.md implies the agent will probe common install paths (~/.clawhub, ~/.cursor/skills) to set an attribution header; confirm you are comfortable with that filesystem probing or ask for explicit permission. - Ask the skill author to reconcile the registry metadata vs. SKILL.md (configPaths mismatch) and to provide a homepage or source so you can review privacy and security details. If the author publishes a trusted homepage/repo and clarifies that filesystem reads are limited to the skill's own files (or provides explicit consent prompts), my confidence in this being coherent would rise.

Like a lobster shell, security has layers — review code before you run it.

latestvk977cnjx96y6aj4gn6px8axswx84qrwm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments