ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Video Builder — Build Complete Videos from Text with Music and Subtitles

v1.0.0

All-in-one AI video creator that builds complete, production-ready videos from simple text descriptions. This skill combines video generation, background mus...

0· 361·1 current·1 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description match a video-generation skill and explicitly reference a NemoVideo backend (mega-api-prod.nemovideo.ai), which is consistent with the stated functionality. However, the skill provides no concrete API endpoints, authentication method, or example requests — so it's unclear how the agent should legitimately achieve the described capability.
!
Instruction Scope
SKILL.md instructs the agent to 'use NemoVideo API' at mega-api-prod.nemovideo.ai and to process user-supplied text into videos. It does not document authentication, rate limits, data retention, or privacy. Because the agent would need to transmit user-provided content (potentially sensitive) to an external service, the lack of any data-handling or consent guidance is a concern. The instructions are vague/open-ended rather than precise operational steps.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which reduces risk from arbitrary downloads or on-disk execution. Nothing is written to disk by an installer according to the provided metadata.
Credentials
The skill requests no environment variables or credentials. That could mean it calls a public API, but more likely indicates missing information: a production video API typically requires an API key or account. The absence of declared credentials is disproportionate to the claimed backend usage and leaves ambiguity about how authentication would be handled.
Persistence & Privilege
always is false and the skill does not request elevated or persistent system presence. Autonomous invocation is allowed (the platform default) but is not combined with broad credentials or other red flags here.
What to consider before installing
This skill claims to send your content to an external API (mega-api-prod.nemovideo.ai) but gives no details about authentication, privacy, or data retention. Before installing or using it: 1) Ask the developer for API documentation, required credentials, and a privacy/data-retention policy for NemoVideo; 2) Verify the domain and the vendor (company website, contact, and reputation); 3) Do not send sensitive or private content through the skill until you confirm how data is handled; 4) Prefer skills that declare required environment variables and provide clear example requests or SDK usage; 5) If you must test, try only non-sensitive dummy content and monitor network traffic where possible. Additional information (API keys, developer info, or concrete API docs) would raise confidence and could change the assessment to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk971nbckr1gcnjs79yqzxqxhkh83fk89

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis

Comments