Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Avatar Video Free

v1.0.0

Get avatar presenter videos ready to post, without touching a single slider. Upload your text or script (MP4, MOV, TXT, DOCX, up to 200MB), say something lik...

0· 28·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (AI avatar video generation) align with the declared credential (NEMO_TOKEN) and the API endpoints in SKILL.md. However, the registry metadata at the top lists no required config paths while the SKILL.md frontmatter metadata declares a config path (~/.config/nemovideo/). That mismatch is an inconsistency to clarify (where will tokens/session be stored?).
!
Instruction Scope
The SKILL.md instructs the agent to: check for NEMO_TOKEN, otherwise obtain an anonymous token by POSTing to https://mega-api-prod.nemovideo.ai, create and keep a session_id, upload user files (MP4/MOV/TXT/DOCX up to 200MB), and poll for export URLs. These are coherent for a cloud-render client, but they also mean the skill will send uploaded content and session tokens to a third‑party API. The file upload/external network activity is expected for this purpose but is also a potential data‑exfiltration surface; the SKILL.md also contains a detected unicode-control-chars injection signal which could be an attempt to manipulate parsing or hide content.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only. That reduces disk persistence risk (nothing will be downloaded or executed on install), but runtime will perform network calls according to the instructions.
Credentials
The only declared required secret is NEMO_TOKEN (primaryEnv), which is appropriate for a cloud API client. However, the SKILL.md describes logic to generate and use an anonymous token if none is present and references a config path in its frontmatter for storing session state. The registry metadata elsewhere omits that config path; this inconsistency about where/if tokens are stored should be resolved. Also consider that a single API token grants access to uploads, render jobs, and possibly account credits — treat it as sensitive.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request elevated platform privileges or to modify other skills. The skill will keep session state for its own operations (normal for an API client).
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contained unicode control characters flagged by the pre-scan. These can be used to obscure or manipulate text processing and may be an attempt at prompt injection or to hide content. This is not expected for a straightforward service integration and should be investigated (e.g., show the raw SKILL.md, remove control chars, or ask the author why they're present).
What to consider before installing
This skill appears to be a client for the Nemovideo cloud render API and will upload user files and use a NEMO_TOKEN (or obtain an anonymous token) to create videos on a third‑party service. Before installing: 1) Confirm you trust mega-api-prod.nemovideo.ai and read its privacy/retention policy — do not upload sensitive or private media unless you're comfortable with third‑party storage/processing. 2) Ask the publisher to explain the metadata mismatch (SKILL metadata vs SKILL.md frontmatter) and where tokens/session data are stored (~/.config/nemovideo/ vs none). 3) Request the SKILL.md without any invisible control characters and verify there is no hidden or obfuscated behavior. 4) Prefer creating and scoping a throwaway NEMO_TOKEN or using an anonymous token rather than exposing long‑lived credentials; revoke tokens you supply if you stop using the skill. 5) If you need higher assurance, run the skill only in an isolated environment and inspect any network traffic to the nemovideo domain. If you are uncomfortable with these points, do not install or grant your real credentials.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🧑‍💻 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN
latestvk97ca2g8vmp097kz5v3jne398d8543j4
28downloads
0stars
1versions
Updated 19h ago
v1.0.0
MIT-0

Getting Started

Got text or script to work with? Send it over and tell me what you need — I'll take care of the AI avatar video creation.

Try saying:

  • "generate a 150-word product description script into a 1080p MP4"
  • "create a talking avatar video from my script with a professional presenter"
  • "generating talking avatar videos from text scripts for free for marketers, educators, content creators"

Quick Start Setup

This skill connects to a cloud processing backend. On first use, set up the connection automatically and let the user know ("Connecting...").

Token check: Look for NEMO_TOKEN in the environment. If found, skip to session creation. Otherwise:

  • Generate a UUID as client identifier
  • POST https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token with X-Client-Id header
  • Extract data.token from the response — this is your NEMO_TOKEN (100 free credits, 7-day expiry)

Session: POST https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent with Bearer auth and body {"task_name":"project"}. Keep the returned session_id for all operations.

Let the user know with a brief "Ready!" when setup is complete. Don't expose tokens or raw API output.

AI Avatar Video Free — Generate Talking Avatar Videos Free

Drop your text or script in the chat and tell me what you need. I'll handle the AI avatar video creation on cloud GPUs — you don't need anything installed locally.

Here's a typical use: you send a a 150-word product description script, ask for create a talking avatar video from my script with a professional presenter, and about 1-2 minutes later you've got a MP4 file ready to download. The whole thing runs at 1080p by default.

One thing worth knowing — shorter scripts under 200 words render fastest and stay within free tier limits.

Matching Input to Actions

User prompts referencing ai avatar video free, aspect ratio, text overlays, or audio tracks get routed to the corresponding action via keyword and intent classification.

User says...ActionSkip SSE?
"export" / "导出" / "download" / "send me the video"→ §3.5 Export
"credits" / "积分" / "balance" / "余额"→ §3.3 Credits
"status" / "状态" / "show tracks"→ §3.4 State
"upload" / "上传" / user sends file→ §3.2 Upload
Everything else (generate, edit, add BGM…)→ §3.1 SSE

Cloud Render Pipeline Details

Each export job queues on a cloud GPU node that composites video layers, applies platform-spec compression (H.264, up to 1080x1920), and returns a download URL within 30-90 seconds. The session token carries render job IDs, so closing the tab before completion orphans the job.

All calls go to https://mega-api-prod.nemovideo.ai. The main endpoints:

  1. SessionPOST /api/tasks/me/with-session/nemo_agent with {"task_name":"project","language":"<lang>"}. Gives you a session_id.
  2. Chat (SSE)POST /run_sse with session_id and your message in new_message.parts[0].text. Set Accept: text/event-stream. Up to 15 min.
  3. UploadPOST /api/upload-video/nemo_agent/me/<sid> — multipart file or JSON with URLs.
  4. CreditsGET /api/credits/balance/simple — returns available, frozen, total.
  5. StateGET /api/state/nemo_agent/me/<sid>/latest — current draft and media info.
  6. ExportPOST /api/render/proxy/lambda with render ID and draft JSON. Poll GET /api/render/proxy/lambda/<id> every 30s for completed status and download URL.

Formats: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.

Skill attribution — read from this file's YAML frontmatter at runtime:

  • X-Skill-Source: ai-avatar-video-free
  • X-Skill-Version: from frontmatter version
  • X-Skill-Platform: detect from install path (~/.clawhub/clawhub, ~/.cursor/skills/cursor, else unknown)

All requests must include: Authorization: Bearer <NEMO_TOKEN>, X-Skill-Source, X-Skill-Version, X-Skill-Platform. Missing attribution headers will cause export to fail with 402.

Draft JSON uses short keys: t for tracks, tt for track type (0=video, 1=audio, 7=text), sg for segments, d for duration in ms, m for metadata.

Example timeline summary:

Timeline (3 tracks): 1. Video: city timelapse (0-10s) 2. BGM: Lo-fi (0-10s, 35%) 3. Title: "Urban Dreams" (0-3s)

Translating GUI Instructions

The backend responds as if there's a visual interface. Map its instructions to API calls:

  • "click" or "点击" → execute the action via the relevant endpoint
  • "open" or "打开" → query session state to get the data
  • "drag/drop" or "拖拽" → send the edit command through SSE
  • "preview in timeline" → show a text summary of current tracks
  • "Export" or "导出" → run the export workflow

SSE Event Handling

EventAction
Text responseApply GUI translation (§4), present to user
Tool call/resultProcess internally, don't forward
heartbeat / empty data:Keep waiting. Every 2 min: "⏳ Still working..."
Stream closesProcess final response

~30% of editing operations return no text in the SSE stream. When this happens: poll session state to verify the edit was applied, then summarize changes to the user.

Error Codes

  • 0 — success, continue normally
  • 1001 — token expired or invalid; re-acquire via /api/auth/anonymous-token
  • 1002 — session not found; create a new one
  • 2001 — out of credits; anonymous users get a registration link with ?bind=<id>, registered users top up
  • 4001 — unsupported file type; show accepted formats
  • 4002 — file too large; suggest compressing or trimming
  • 400 — missing X-Client-Id; generate one and retry
  • 402 — free plan export blocked; not a credit issue, subscription tier
  • 429 — rate limited; wait 30s and retry once

Common Workflows

Quick edit: Upload → "create a talking avatar video from my script with a professional presenter" → Download MP4. Takes 1-2 minutes for a 30-second clip.

Batch style: Upload multiple files in one session. Process them one by one with different instructions. Each gets its own render.

Iterative: Start with a rough cut, preview the result, then refine. The session keeps your timeline state so you can keep tweaking.

Tips and Tricks

The backend processes faster when you're specific. Instead of "make it look better", try "create a talking avatar video from my script with a professional presenter" — concrete instructions get better results.

Max file size is 200MB. Stick to MP4, MOV, TXT, DOCX for the smoothest experience.

Export as MP4 for widest compatibility across social platforms and presentations.

Comments

Loading comments...