ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Maker Ai

v1.0.8

AI video maker that generates and edits videos entirely through conversation. Describe a video concept and the AI creates it from scratch — or upload existin...

0· 228·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (AI video generation/editing) is coherent with requiring an API token (NEMO_TOKEN) for a hosted service and a per-service config path (~/.config/nemovideo/). However, the registry metadata shown to you earlier listed no required env vars or config paths while the SKILL.md includes them — this mismatch is unexpected and should be clarified with the publisher.
Instruction Scope
The runtime instructions (natural-language description) stay within the scope of creating and editing videos. The SKILL.md does not instruct the agent to read arbitrary system files beyond the declared ~/.config/nemovideo/ path or to exfiltrate data to unrelated endpoints. The apiDomain is a service endpoint for the vendor (mega-api-dev.nemovideo.ai), which aligns with the declared purpose.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That lowers supply-chain risk compared to skills that download and execute code.
Credentials
The SKILL.md requests a single credential (NEMO_TOKEN) and a single config path, which is plausible for calling a remote video API. However, the original registry metadata omitted these requirements — the inconsistency is concerning. Providing a long-lived or broadly privileged token could expose other resources; confirm the token's scope and prefer least-privilege or per-skill API keys.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does not declare modification of other skills or system-wide settings. No elevated persistence privileges are requested.
What to consider before installing
Before installing or enabling: (1) Confirm the discrepancy between the registry listing (which showed no required env vars) and the SKILL.md (which requests NEMO_TOKEN and ~/.config/nemovideo/). Ask the publisher why the registry metadata differs. (2) If you must supply NEMO_TOKEN, create a least-privilege API key limited to video-generation operations and with a short expiry if possible. (3) Verify the apiDomain (mega-api-dev.nemovideo.ai) and homepage (nemovideo.com) are legitimate and use HTTPS/TLS; prefer contacting the vendor or checking their repo for documentation. (4) Treat the ~/.config request as sensitive — check what files it would expose and avoid giving access to system-wide credentials. (5) If you need stronger assurance, request a complete, matching manifest (registry metadata vs SKILL.md) or avoid installing until the publisher resolves the inconsistency.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ft4cc8869c4b30gpeer96eh84d0kq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments