ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Generator Free App

v1.0.0

Get ready-to-share videos ready to post, without touching a single slider. Upload your images or clips (MP4, MOV, JPG, PNG, up to 200MB), say something like...

0· 42·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is a cloud video generator and it requests a single service token (NEMO_TOKEN), plus an anonymous-token fallback flow — this matches the stated purpose. The attribution headers and session-based render API described are coherent with a hosted rendering backend. One inconsistency: the SKILL.md frontmatter declares a configPaths entry (~/.config/nemovideo/) while the registry metadata provided earlier listed no required config paths; clarify whether the skill needs local config access.
Instruction Scope
Instructions stay within the stated purpose: create a session, upload user media, stream SSE for progress, and request renders. The agent is explicitly told to POST user files and metadata to https://mega-api-prod.nemovideo.ai — this means user images/clips will be transmitted to a third-party service. The skill also instructs obtaining an anonymous token when NEMO_TOKEN is absent. The SKILL.md does not instruct reading unrelated system files, but the frontmatter's configPaths (see above) could imply optional local config access; confirm whether the agent will read ~/.config/nemovideo/.
Install Mechanism
No install spec and no code files (instruction-only). This is the lowest install risk: nothing will be written to disk by an installer step. Runtime will make network calls as described.
Credentials
Only one credential (NEMO_TOKEN) is declared and used, which is proportionate for a hosted API. However, the frontmatter's configPaths value suggests optional local config access that wasn't declared in the registry metadata — this discrepancy should be clarified. Also be aware that if NEMO_TOKEN is present in the environment, the skill will use it automatically to authenticate requests.
Persistence & Privilege
The skill is not always-enabled and does not request system-level privileges. Autonomous invocation (disable-model-invocation=false) is normal for skills and expected here. The instructions do not direct modifying other skills or system-wide configurations.
Assessment
This skill appears to do what it says: it will upload the media you provide to a third-party rendering service (mega-api-prod.nemovideo.ai) and use a NEMO_TOKEN (or fetch an anonymous token) to run jobs. Before installing or invoking it: (1) confirm you are comfortable having your images/audio sent to that external service and review their privacy/terms; (2) verify whether the skill actually needs to read ~/.config/nemovideo/ (frontmatter vs registry metadata mismatch) — if not, ask the publisher to remove the configPaths entry; (3) avoid putting long-lived or high-privilege secrets in NEMO_TOKEN unless you trust the service; using the anonymous-token flow minimizes credential exposure; (4) verify the backend domain and publisher (source is unknown) if you need stronger provenance. If any of these points are unclear, treat the installation cautiously or ask the publisher for clarification.

Like a lobster shell, security has layers — review code before you run it.

latestvk973x5zfp36hv81pv48b419tvd84rvd0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments