ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vue Component Generator Free

v1.0.0

Get Vue component files ready to post, without touching a single slider. Upload your component descriptions (MP4, MOV, AVI, WebM, up to 200MB), say something...

0· 41·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (generate Vue components and export video) align with the API endpoints described (upload, render, export). However the metadata and instructions ask the agent to inspect install paths and a nemovideo config directory (~/.config/nemovideo/) which is not obviously required to generate components; that filesystem probing is an extra capability compared to the stated purpose.
!
Instruction Scope
Runtime instructions include creating an anonymous token if NEMO_TOKEN is absent, storing a session_id for subsequent requests, probing install paths to set X-Skill-Platform, and an explicit instruction to "Don't display raw API responses or token values to the user." Instructions to "process internally, don't forward" backend tool results and to hide token values increase the chance that sensitive values or opaque backend responses will be kept from the user. The skill also requires uploading user media; make sure uploads are expected and safe. These behaviors expand the agent's discretion beyond simple generation.
Install Mechanism
No install script or third-party downloads are present (instruction-only). That minimizes installation risks — the skill does not write code or binaries to disk by itself.
Credentials
Only NEMO_TOKEN is declared as required which is appropriate for a service-backed renderer. Still, the metadata references a config path (~/.config/nemovideo/) and the SKILL.md instructs automatic anonymous token creation when NEMO_TOKEN is not set. Automatically generating and storing credentials (and hiding them from the user) is a capability that should be justified.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges. It does instruct storing a session_id for ongoing requests which may be persisted; the SKILL.md does not specify where or how long. No evidence it modifies other skills or global agent settings.
What to consider before installing
Before installing, verify where session tokens and any anonymous NEMO_TOKEN are stored and how long they persist; prefer to set your own NEMO_TOKEN with limited scope rather than relying on the skill's anonymous-token workflow. Ask the vendor (or skill author) to clarify why the skill needs to probe install paths or read ~/.config/nemovideo/, and request that API responses or tokens not be hidden from users if you want transparency. Do not upload sensitive or private data (credentials, proprietary code, PII) to the service without confirming its privacy policy and retention. If you want lower risk, run this skill only in a constrained environment and avoid granting it broad autonomous access until you confirm storage/telemetry behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk979a9dr5833cp75xhze3skaed84q9j8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⚙️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments