ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ugc Video

v1.0.0

content creators and marketers create raw phone footage into authentic UGC clips using this skill. Accepts MP4, MOV, WebM, AVI up to 500MB, renders on cloud...

0· 21·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (cloud UGC video rendering) matches the API calls and upload/upload+render workflow described in SKILL.md. However the registry requires NEMO_TOKEN while the runtime instructions explicitly support obtaining an anonymous token via the nemovideo.ai API if NEMO_TOKEN is missing — this mismatch between declared requirements and actual behavior is incoherent and should be clarified.
!
Instruction Scope
SKILL.md instructs the agent to upload user-provided video files to https://mega-api-prod.nemovideo.ai, use SSE endpoints, poll render status, and handle multipart file uploads. It also instructs auto-creation of tokens and to 'auto-detect' platform from install path (which implies reading agent filesystem). These are within the skill's editing/rendering purpose, but they involve network exfiltration of user-supplied media and reading local install/config locations — both are sensitive operations and not fully justified in the manifest.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not write executables to disk. That lowers install-time risk.
!
Credentials
Registry lists a single required env var (NEMO_TOKEN), which is appropriate for a cloud API. But SKILL.md both reads/will use NEMO_TOKEN if present and will POST to an anonymous-token endpoint to obtain a token if it isn't present — an inconsistency. The SKILL.md frontmatter also references a config path (~/.config/nemovideo/) that the registry did not list. These mismatches raise questions about what credentials/config the skill will read or write and where any auto-created tokens are stored.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges. It does ask to keep session_id in memory for operations, which is normal for a session-based API. There is no install-time persistence declared.
What to consider before installing
This skill will upload whatever video you provide to an external service (mega-api-prod.nemovideo.ai) and use a bearer token (NEMO_TOKEN) to operate; if NEMO_TOKEN is missing it will attempt to create an anonymous token via the API. Before installing or using it: (1) Do not upload private or proprietary footage until you confirm the service operator, privacy/data retention policy, and whether uploaded files are stored or shared. (2) Ask the publisher why the registry requires NEMO_TOKEN but the skill auto-creates an anonymous token, and whether the anonymous token is persisted on disk (and where). (3) Confirm what the quoted 'credits' and expiry mean and whether operations could incur charges. (4) If you need to test, do so with non-sensitive content only. (5) Prefer skills with a verifiable homepage/source and documented privacy/security posture; consider an offline tool if you cannot accept sending media to a third party.

Like a lobster shell, security has layers — review code before you run it.

latestvk9760vg5z8ce0600pg7qzdt3qs84jp71

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📱 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments