ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Maker Logo Free

v1.0.0

Turn a 30-second product promo clip into 1080p logo-branded videos just by typing what you need. Whether it's adding a logo or watermark to videos for free o...

0· 37·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description (video branding via a cloud rendering backend) align with its API calls and required NEMO_TOKEN credential. However, the SKILL.md frontmatter lists a required config path (~/.config/nemovideo/) while the registry metadata presented earlier omitted config paths — this mismatch is an incoherence in declared requirements.
Instruction Scope
Instructions stay focused on upload, session management, SSE, and export workflows for the nemovideo backend. They also direct the agent to auto-obtain an anonymous token and persist a session_id. Two points to note: (1) the instructions say to 'detect' the install path to set X-Skill-Platform (this implies the agent may inspect local paths or runtime environment), and (2) the doc tells the agent not to display raw API responses or token values to the user, which is unusual guidance that hides sensitive values from the user interface.
Install Mechanism
No install spec and no code files (instruction-only). That is the lowest install risk — nothing is written to disk by an installer step in the skill package itself.
Credentials
The skill requests a single credential (NEMO_TOKEN), which is proportional for a remote API. However, it instructs the agent to create and store an anonymous token automatically if one isn't present. Automatic token issuance and local storage are reasonable, but you should confirm where the token/session are stored and their lifetime/permissions. The guidance to avoid showing token values to the user reduces transparency.
Persistence & Privilege
always:false (no forced presence). The skill expects to store session_id and token for subsequent calls (persistence within the agent). This is expected for a session-based API but you should confirm storage location and retention (orphaned render jobs are noted). The skill also reads/detects install paths to derive X-Skill-Platform, which implies modest filesystem inspection.
What to consider before installing
This skill is broadly consistent with a cloud-based video watermark/branding service, but review these points before installing: 1) It will contact an external API (mega-api-prod.nemovideo.ai) and will create an anonymous NEMO_TOKEN for you if none is present — ask where that token and session_id are stored and how long they persist. 2) The skill intends to 'detect' the local install path to set an attribution header — confirm whether the agent will read local filesystem paths and whether that exposure is acceptable. 3) There is a mismatch in declared config-path requirements (SKILL.md lists ~/.config/nemovideo/ while the registry metadata did not) — seek clarification. 4) The instructions explicitly tell the agent not to display raw API responses or token values to the user; lack of transparency about tokens is a privacy consideration. If you trust the nemovideo service and are comfortable with tokens/sessions being stored locally, the skill appears usable; otherwise request the skill source or vendor documentation (where tokens are stored, data retention, and privacy) before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk977gteke0ccx6gb7257p5tfcx84rfbw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments