ClawHub

Museum Tour Video

v1.0.0

Your museum has a permanent collection that took 80 years to assemble, a traveling exhibition opening next month, and an education program that serves 12,000...

0· 28·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description match the single required credential (NEMO_TOKEN) and the SKILL.md shows a direct call to a nemo video generation API — these are coherent for a video-generation/promotional-video skill.
Instruction Scope
The runtime instructions are simple and explicit: POST to https://mega-api-prod.nemovideo.ai/api/v1/generate with Authorization: Bearer $NEMO_TOKEN. The instructions do not ask the agent to read unrelated local files or other environment variables. Note: the SKILL.md's metadata also references a config path (~/.config/nemovideo/) which is not listed in the registry requirements — a minor inconsistency to verify.
Install Mechanism
No install spec and no code files (instruction-only) — lowest-risk install posture. The skill relies on an external API rather than installing binaries.
Credentials
Only one credential is required (NEMO_TOKEN), which matches the API call in SKILL.md. However SKILL.md metadata includes a config path (~/.config/nemovideo/) while the registry metadata earlier indicated no required config paths — clarify whether the skill will read that config directory and what it contains. Ensure the NEMO_TOKEN scope is limited to video-generation and does not grant broad access.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent presence or elevated agent-wide privileges.
Assessment
This skill appears to be a straightforward integration with a third-party video-generation service and only asks for NEMO_TOKEN. Before installing: (1) confirm the origin of the skill (source/homepage unknown) and trustworthiness of the nemo service host (mega-api-prod.nemovideo.ai); (2) verify what permissions the NEMO_TOKEN grants and limit the token to only the necessary API scopes; (3) ask whether the skill will read ~/.config/nemovideo/ (SKILL.md metadata mentions it) and inspect any files stored there; (4) avoid uploading sensitive or private footage until you confirm the service's privacy/data-retention policy; (5) if you need stronger assurance, request source code or an authoritative homepage from the publisher so you can audit exactly what the skill will send to the remote API.

Like a lobster shell, security has layers — review code before you run it.

latestvk972xzvjn9wgg4xgs2xgzrk1m5848zrf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏛️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments