Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Avatar Video Free
v1.0.0generate text or script into avatar presenter videos with this avatar-video-free skill. Works with MP4, MOV, TXT, DOCX files up to 200MB. marketers, educator...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the runtime instructions: the skill calls a remote nemovideo.ai API to generate avatar videos and expects a NEMO_TOKEN. However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that is not declared in the registry metadata and is not clearly motivated by the described functionality — this inconsistency should be clarified.
Instruction Scope
The instructions direct the agent to create or reuse a bearer token, open sessions, upload files, use server-sent events, poll job status, and include specific attribution headers. Those actions are consistent with a cloud render service, but the file contains detected unicode-control-characters (possible hidden chars/prompt-injection) and an instruction to 'keep the technical details out of the chat', which could hide behavior from users — both increase risk and reduce transparency.
Install Mechanism
Instruction-only skill (no install spec, no code files). No binaries or third-party packages are installed by the skill itself — this minimizes on-disk risk.
Credentials
The skill requires a single credential (NEMO_TOKEN), which fits the stated purpose. It also documents a fallback anonymous-token flow (POST to the service) which is reasonable. The frontmatter's mention of a config path is disproportionate or at least unexplained given the registry metadata shows no required config paths.
Persistence & Privilege
always: false and the skill is instruction-only. It does not request permanent presence or system-wide config changes and does not ask to modify other skills.
Scan Findings in Context
[unicode-control-chars] unexpected: Hidden unicode control characters in SKILL.md are not required for a video-generation integration and may indicate an attempt to obfuscate or manipulate parsing/evaluation. This finding increases suspicion and should be investigated (view the raw file bytes).
What to consider before installing
Before installing or using this skill: (1) Treat NEMO_TOKEN like any API credential — do not supply high-privilege or unrelated keys (AWS, GitHub, Slack, etc.). (2) Inspect the SKILL.md file in a hex/raw view to confirm there are no hidden/control characters or injected instructions. (3) If you lack a trusted NEMO_TOKEN, prefer the anonymous-token flow but test with non-sensitive scripts and small files first. (4) Ask the author to explain the ~/.config/nemovideo/ config path and why registry metadata omitted it. (5) Monitor network activity and outgoing hostnames — the skill talks to mega-api-prod.nemovideo.ai; if you see other unexpected endpoints, revoke tokens and avoid using the skill. If the author cannot explain the metadata mismatch and hidden characters, avoid installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97847252kapxdk9m6j3mssaq584n95k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧑💻 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN