ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Animated Video Maker Ai

v1.0.0

Cloud-based animated-video-maker-ai tool that handles creating animated explainer or promo videos from text and images. Upload PNG, JPG, MP4, MOV files (up t...

0· 60·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the runtime instructions (session creation, uploads, render/export endpoints) and the single required credential (NEMO_TOKEN) is expected. However, the skill's YAML frontmatter lists a config path (~/.config/nemovideo/) and the SKILL.md describes detecting install paths (~/.clawhub/, ~/.cursor/skills/) to set an X-Skill-Platform header; these filesystem checks are not necessary for the stated purpose and conflict with the registry metadata that listed no required config paths.
Instruction Scope
Instructions are explicit about creating a session, uploading media, reading SSE streams, polling render status, and generating an anonymous token if NEMO_TOKEN is absent—these are appropriate. They also instruct deriving platform attribution by checking local install paths and reference a config directory in metadata; that suggests the agent may inspect user home paths, which is beyond what a purely API-based video renderer strictly needs.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only, which limits what gets written or executed on-disk.
Credentials
Only NEMO_TOKEN is declared as required (primary credential), which is proportionate. Minor inconsistency: the SKILL.md metadata references a config path (~/.config/nemovideo/) that could imply reading local config files; that was not declared in the registry requirements and isn't justified by the description.
Persistence & Privilege
Skill does not request always:true and does not instruct changing other skills or system-wide settings. Autonomy (model invocation) is enabled by default but not combined with excessive privileges.
What to consider before installing
This skill mostly does what it says: it talks to a remote rendering API, uploads media, and returns a finished MP4 using a single NEMO_TOKEN. Before installing, consider: (1) Do not supply a long-lived or high-privilege token unless you trust the service—use the anonymous flow if possible. (2) The skill's metadata and instructions mention checking ~/.config/nemovideo/ and install paths (~/.clawhub/, ~/.cursor/skills/); ask the author why it needs to probe your home directory and whether it will read any files there. (3) The backend host (mega-api-prod.nemovideo.ai) is external and the source is unknown—if you need stronger assurance, request the skill's code or a privacy/security policy from the publisher. (4) Test with non-sensitive media and content first. These inconsistencies are suspicious but not definitive evidence of malicious intent; request clarification from the owner or decline if you are uncomfortable supplying credentials or allowing filesystem checks.

Like a lobster shell, security has layers — review code before you run it.

latestvk971me5p2bbvpaqrkysphbd9wd84jgh5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments