Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Video Face Swap
v1.0.0Skip the learning curve of professional editing software. Describe what you want — swap the face in this video with the uploaded reference photo — and get fa...
⭐ 0· 46·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the runtime instructions: the skill uploads videos, creates a session, streams SSE, and requests renders from a nemo video backend. The single declared credential (NEMO_TOKEN) is appropriate. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that the registry metadata did not list — an inconsistency worth flagging.
Instruction Scope
Instructions stay within the stated purpose (upload video, create session, render, poll state, handle SSE). They also ask the agent to read the skill's YAML frontmatter for attribution and detect install path to set X-Skill-Platform, which implies reading local paths; this is plausible for attribution but does require filesystem access and could expose environment details.
Install Mechanism
No install spec and no code files (instruction-only). That is the lowest-risk installation model — nothing will be downloaded or written by the skill itself.
Credentials
Only NEMO_TOKEN is required and it is used for API calls to the documented nemovideo.ai endpoints. The SKILL.md also describes obtaining an anonymous NEMO_TOKEN via POST if none exists (so the skill can create a short-lived token itself). That is coherent, but you should be aware the skill will use/hold a bearer token that grants access to the external service and will include attribution headers on every request.
Persistence & Privilege
The skill does not request always:true and does not instruct modifying other skills or global agent settings. It will create and use session IDs for renders; no instructions to persist credentials to system-wide config are present in the SKILL.md.
What to consider before installing
This skill appears to do what it says (cloud face-swapping) and only needs a NEMO_TOKEN to call the nemo backend — but note a few things before installing: (1) SKILL.md frontmatter references a config path (~/.config/nemovideo/) while the registry metadata did not — ask the publisher why and what, if anything, the skill will read from that path. (2) The skill will read its YAML frontmatter and detect install paths for attribution headers, which requires access to some local paths — consider whether you’re comfortable with that. (3) The skill will upload your videos to an external service (mega-api-prod.nemovideo.ai); review that service’s privacy, retention, and sharing policies before uploading sensitive material, and prefer not to use this with private or legally sensitive videos. (4) The skill can obtain an anonymous bearer token on your behalf (100 free credits, 7-day expiry) — if you prefer control, provision and supply your own token and remove it when done. If you need more assurance, request the publisher to: (a) reconcile the metadata/config-path mismatch, (b) provide a privacy/retention statement for uploaded media, and (c) confirm whether any data is retained outside the render job lifecycle.Like a lobster shell, security has layers — review code before you run it.
latestvk977ksf90dmjhn5p1dy42n346584q698
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎭 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN