Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Bing Video Creator
v1.0.0Cloud-based bing-video-creator tool that handles generating videos from text prompts or descriptions. Upload MP4, MOV, AVI, WebM files (up to 500MB), describ...
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is described as a 'Bing Video Creator' but all runtime instructions talk to mega-api-prod.nemovideo.ai (a third‑party service) rather than any Microsoft/Bing endpoint — possible mislabeling or false branding. The SKILL.md frontmatter also declares a config path (~/.config/nemovideo/) that is not present in the registry metadata, creating a mismatch about what the skill expects to access.
Instruction Scope
The runtime instructions tell the agent to obtain or use a bearer token (NEMO_TOKEN), create a session_id, and upload local files (multipart '@ /path') to the external API. They also instruct the agent to detect install path to set an 'X-Skill-Platform' header and derive attribution headers from frontmatter. These behaviors require reading local paths/config and transmitting user files and session tokens to an external service — appropriate for a cloud video tool but higher-risk if the service or naming is misleading.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes disk-write/install risk because nothing is downloaded or written by the skill itself.
Credentials
The declared required credential (NEMO_TOKEN) matches the API described. However, SKILL.md references a config directory (~/.config/nemovideo/) and runtime detection of install paths even though registry metadata lists no required config paths — this inconsistency could mean the skill will attempt to read local config or paths that were not clearly declared. Requesting a single token is reasonable for a remote video API, but the undeclared local-path access is disproportionate and should be clarified.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent/always-on installation or system-wide changes. It does instruct saving session_id for the API session (expected for the service) but does not request elevated platform privileges.
What to consider before installing
This skill will upload user media and use a bearer token (NEMO_TOKEN) to call mega-api-prod.nemovideo.ai — it does not contact Microsoft/Bing despite its name. Before installing or using: (1) Confirm who runs 'nemovideo.ai' and whether you trust them with any media or sensitive content; (2) Do not set or share sensitive tokens unless you trust the service; use anonymous/test data first; (3) Ask the skill author to explain why the registry metadata omits the ~/.config/nemovideo/ path and why the skill claims to be 'Bing' while pointing at nemovideo endpoints; (4) If you must test, use non-sensitive files and monitor the requests (or use a disposable token/account). If the author cannot satisfactorily explain the naming/metadata mismatches, avoid using it with private data.Like a lobster shell, security has layers — review code before you run it.
latestvk97fc09hktw5kptk1rybv294v984j527
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN