ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Voiceover

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — add a natural-sounding English voiceover that reads my script over the vid...

0· 48·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (AI voiceover) align with the runtime calls to nemovideo.ai and the upload/render/export endpoints — a cloud backend and an auth token make sense. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata earlier lists no required config paths, an internal inconsistency.
!
Instruction Scope
The instructions tell the agent to upload user-provided video files and session data to https://mega-api-prod.nemovideo.ai and to POST to an anonymous-token endpoint if NEMO_TOKEN is absent. This means user media and metadata will be sent to a third-party service — expected for a cloud-rendering skill but privacy-sensitive. The instructions also derive headers from local install paths (platform detection) which implies inspecting install location; that may not be available or appropriate in all runtimes.
Install Mechanism
No install spec and no code files — instruction-only. That reduces disk-write risk. Nothing is downloaded or executed by an installer.
!
Credentials
Only one credential is declared (NEMO_TOKEN) which fits a cloud API. But SKILL.md will POST to obtain an anonymous token if the env var is missing, meaning the declared 'required env var' is effectively optional — a behavioral mismatch. Also, using/creating a token that grants access to a third-party service increases the risk of data exfiltration (your videos and any metadata uploaded will be processed offsite).
Persistence & Privilege
always:false and no indication the skill attempts to modify other skills or system-wide settings. It requires keeping a session_id for the duration of interactions (normal for session-based APIs).
Scan Findings in Context
[no_regex_findings] expected: The static scanner found no code to analyze (instruction-only SKILL.md). Absence of findings is expected for instruction-only skills, but does not imply safety.
What to consider before installing
This skill will send any video or script you provide to a third-party backend (mega-api-prod.nemovideo.ai) for processing and can auto-generate an anonymous NEMO_TOKEN if you don't supply one. Before installing or using it: (1) Confirm you are comfortable uploading your media to that domain (check the vendor's privacy/retention policy); (2) Prefer providing your own NEMO_TOKEN only if you trust and control the account and know whether tokens are persisted; (3) Ask the author to clarify why SKILL.md lists a config path but registry metadata does not, and whether the skill writes tokens or session state to disk; (4) If your videos contain sensitive information, avoid using cloud processing or test with non-sensitive content first. If you want greater assurance, request the skill source (code) or a privacy/security statement from the publisher before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk973yxk4qx0z0gs7yz5w1fhfg584qsg5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎙️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments