ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Photo Video

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — turn these photos into a YouTube slideshow video with transitions and musi...

0· 51·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (turn photos into YouTube-ready videos) aligns with the runtime actions (uploading images, starting render jobs, polling for results). Requiring a NEMO_TOKEN is reasonable for a cloud service, but the SKILL.md provides an anonymous-token flow if NEMO_TOKEN is missing, so declaring NEMO_TOKEN as a required primary credential is inconsistent with the instructions.
!
Instruction Scope
Instructions explicitly direct the agent to upload user files and send them to a third-party API (https://mega-api-prod.nemovideo.ai). They also instruct generating a UUID, requesting anonymous tokens, creating sessions, uploading files (multipart or URLs), using SSE for interactive edits, and polling render endpoints. These actions are within the advertised purpose, but the SKILL.md also describes deriving X-Skill-Platform from the agent's install path and references a config path (~/.config/nemovideo/), which implies the agent may inspect local file paths and home-directory locations — this expands scope beyond pure upload/render and may read local environment/install location.
Install Mechanism
Instruction-only skill with no install spec or code to write to disk. This is low-risk from install mechanism perspective.
!
Credentials
Registry metadata lists NEMO_TOKEN as a required primary credential, but SKILL.md provides a fallback anonymous-token acquisition flow (POST to /api/auth/anonymous-token) and thus NEMO_TOKEN may not actually be strictly required. The SKILL.md frontmatter also references a config path (~/.config/nemovideo/) even though the registry summary lists no required config paths — a mismatch. Aside from NEMO_TOKEN, no unrelated credentials are requested. The real risk is that user images and generated session tokens will be sent to the external service; sensitive content could be exposed.
Persistence & Privilege
The skill is not marked always:true and does not request persistent installation or to modify other skills. It does create and use session IDs for render jobs, but that is limited to its own workflow. Autonomous invocation is allowed (default) but not combined with other high-risk factors here.
What to consider before installing
This skill uploads your images and session data to a third-party service (nemovideo.ai). Before installing or using it: 1) Decide whether you are comfortable sending photos (especially sensitive ones) to an external renderer. 2) Note the inconsistency: the registry declares NEMO_TOKEN as required, but the skill can obtain an anonymous token itself — set an environment token only if you trust the service. 3) Ask the publisher for source code or a privacy policy / terms of service for mega-api-prod.nemovideo.ai and confirm data retention and access controls. 4) If you must use it, avoid uploading private or sensitive images and consider creating a throwaway account or using the anonymous flow rather than supplying long-lived credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e684430qdkt6g9knxqeezxx84my8w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments