ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Free Video Generator

v1.0.0

Turn your ideas into polished, shareable videos without paying for expensive software or subscriptions. The ai-free-video-generator skill lets you produce en...

0· 35·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to generate videos and the SKILL.md describes a video-rendering backend (session creation, SSE messaging, upload, render/export endpoints). Requesting an API token (NEMO_TOKEN) is consistent with that purpose.
!
Instruction Scope
Instructions direct the agent to: use NEMO_TOKEN or obtain an anonymous token by POSTing to an external endpoint; create sessions and send SSE requests; and perform uploads that reference local file paths (multipart -F "files=@/path"). They also instruct detecting the agent platform by checking install paths (~/.clawhub, ~/.cursor/skills) — that requires reading the user filesystem even though the skill declares no config path requirements. Reading those paths and uploading arbitrary local files expands the agent's access beyond simple API calls and should be explicitly declared and authorized.
Install Mechanism
No install steps or binary downloads are specified (instruction-only). This minimizes install-time risk because nothing is written to disk by an installer.
Credentials
The skill asks for a single credential (NEMO_TOKEN), which is appropriate for an API-backed service. However, the instructions include a fallback to obtain an anonymous token by POSTing to an external domain and then using that token as NEMO_TOKEN — this involves network calls that the user should be aware of and consent to. No other credentials are requested.
Persistence & Privilege
The skill is not marked always: true and does not request elevated platform-wide persistence. Autonomous invocation is allowed (platform default) but not combined with other privilege-escalating flags.
What to consider before installing
This skill appears to implement what it claims (calls to a video-rendering API), but exercise caution before installing: - Provenance: there is no homepage or known source for this skill; verify the upstream service (mega-api-prod.nemovideo.ai) and the skill author before trusting it. - Token handling: the skill will use NEMO_TOKEN from the environment or call an anonymous-token endpoint to get credentials. Do not put high-privilege or unrelated credentials in NEMO_TOKEN. Prefer a scoped, throwaway token if you test it. - Local files: the skill can upload local files (it references multipart uploads and file paths). Only allow file uploads you explicitly choose and avoid sensitive files. - Filesystem checks: the instructions detect install paths (~/.clawhub, ~/.cursor/skills). If you don’t want the skill probing your home directory, don’t install it or run it in a sandboxed environment. - Lack of install script is good for limiting disk writes, but also means there is no code to review — ask the vendor for source or a homepage, or run in an isolated environment first. If you want to proceed: test with non-sensitive data, avoid storing long-lived credentials in NEMO_TOKEN, and request the skill’s source or documentation from the publisher to improve trust. If you are uncomfortable with the unknown upstream domain or filesystem probing, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eqa4j0yjbgqs5vfrr27qxw9841kg1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments