ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Social Copy Generator

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — generate social media captions and on-screen text for my product video — a...

0· 53·0 current·0 all-time
by@roca-677
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Requesting a NEMO_TOKEN and calling a remote video-rendering API is coherent with a caption/rendering service. However, SKILL.md declares a config path (~/.config/nemovideo/) in its frontmatter while the registry metadata earlier listed no required config paths — an inconsistency. The skill also inspects the agent's install path (~/.clawhub/, ~/.cursor/skills/) to set an attribution header, which is not strictly needed to provide captioning and implies the skill will read parts of the filesystem.
!
Instruction Scope
Runtime instructions tell the agent to automatically obtain an anonymous token (POST to mega-api-prod.nemovideo.ai), create and store a session_id, upload user video files, and stream/poll SSE endpoints. These are expected for a cloud render service. Concerns: (1) the skill will mint and store credentials if none exist, (2) it explicitly instructs the agent to derive platform attribution by reading install paths on disk, and (3) it asks the agent not to show raw API responses or token values to the user — implying it will handle secrets internally. There is no instruction to the user about where tokens/sessions are stored or their lifetime beyond 7 days for the anonymous token.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes filesystem persistence and removes risks from downloaded/executed archives. Network calls are the primary surface.
Credentials
Only one credential (NEMO_TOKEN) is declared as required and is the primaryEnv — this is appropriate for a remote rendering API. However, the SKILL.md both treats NEMO_TOKEN as required and provides a pathway to obtain an anonymous token automatically, which is inconsistent with 'required' semantics in the registry. The token grants the remote service the ability to accept uploads, create render jobs, and access session state — so its scope is meaningful and sensitive.
Persistence & Privilege
always:false and normal agent-invocation defaults. The skill does not request permanent platform-level privileges or claim it will modify other skills or global agent configuration. It does instruct storing a session_id (local session state), which is normal for a session-based API.
What to consider before installing
This skill mostly does what it says (upload videos to a remote service and return rendered captioned videos), but review these points before installing: 1) NEMO_TOKEN is sensitive — it allows the remote service to accept uploads and manage renders. Confirm what that token can access and whether it reuses account-level credentials. 2) The skill will mint an anonymous token if none is present and store session IDs/tokens; ask where they are stored (metadata mentions ~/.config/nemovideo/) and whether they are written to disk. 3) The SKILL.md instructs the agent to inspect install paths to set an attribution header — consider whether you want the skill to read your filesystem layout. 4) The skill communicates with a third-party domain (mega-api-prod.nemovideo.ai); only upload non-sensitive video content unless you trust the service and its privacy policy. 5) Registry metadata and SKILL.md disagree about required config paths — this is likely sloppy packaging but worth clarifying with the publisher. If you decide to proceed: create and use an ephemeral or limited-scope token (not one tied to sensitive accounts), avoid uploading private data, and consider running the skill in an environment where accidental token persistence is acceptable. If you need higher assurance, ask the publisher for a privacy/security statement and an explicit explanation of where tokens/sessions are stored and how long they are retained.

Like a lobster shell, security has layers — review code before you run it.

latestvk979bzt4xhcp6606a6kaerrhpn84qt63

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✍️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments