Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Google Ai Video Maker
v1.0.0generate images or clips into AI-made videos with this google-ai-video-maker skill. Works with MP4, MOV, JPG, PNG files up to 500MB. marketers and content cr...
⭐ 0· 59·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a "Google AI Video Maker" but all network activity is directed at mega-api-prod.nemovideo.ai (nemovideo), and there is no Google API, homepage, or publisher link — this is a branding/identity mismatch that can mislead users. The skill requests a NEMO_TOKEN which is coherent for the nemovideo backend, but the name implies a Google product when none is used. Also the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) despite the registry metadata listing no required config paths — an internal inconsistency.
Instruction Scope
SKILL.md instructs the agent to read NEMO_TOKEN from the environment, or else obtain an anonymous token by POSTing to nemovideo's anonymous-auth endpoint (including generating a UUID client id). It then creates sessions, upload endpoints, SSE streams, and posts render requests — all consistent with a cloud render service. It also requires adding attribution headers and auto-detecting an install path to set X-Skill-Platform (this implies reading the agent's install path / filesystem). The instructions explicitly tell the agent not to expose tokens, which is good, but they do direct network calls to an external third-party domain and allow uploading local files/paths (expected for a media uploader).
Install Mechanism
Instruction-only skill with no install spec and no bundled code. No on-disk install or archive downloads are performed by the skill itself — lowest install risk.
Credentials
The only declared required credential is NEMO_TOKEN (primaryEnv). That aligns with the described backend. However, the frontmatter also lists a config path (~/.config/nemovideo/) which is not reflected in the top-level registry summary — this discrepancy could indicate the skill expects or will write config files beyond the declared env var. The skill does not request unrelated credentials (no AWS/GCP/etc).
Persistence & Privilege
The skill is not always-on and is user-invocable. It uses ephemeral session tokens for backend tasks and does not request blanket system privileges. The only mild persistence signal is the frontmatter reference to a config path which could imply storing data in ~/.config/nemovideo/ if implemented, but no explicit persistent install is defined.
What to consider before installing
This skill appears to be a cloud-backed video rendering integration for nemovideo.ai, not an official Google product despite its name. Before installing: 1) Confirm you trust mega-api-prod.nemovideo.ai (privacy of uploaded media and metadata). 2) Expect the skill to send any files you provide to that third-party backend and to create/require a NEMO_TOKEN (it can auto-fetch an anonymous token). 3) Note the SKILL.md suggests reading an install path and a config directory (~/.config/nemovideo/) — ask the author whether the skill will write or read files there. 4) If you care about provenance, request a homepage/source and author info; if you proceed, prefer supplying your own NEMO_TOKEN and avoid uploading sensitive files until you confirm the service and privacy policy.Like a lobster shell, security has layers — review code before you run it.
latestvk979chhjv1wadbs9pmtf4qdvd184ke6q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN