ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Text To Video Huggingface

v1.0.0

generate text prompts into AI generated videos with this skill. Works with TXT, DOCX, PDF, PNG files up to 10MB. developers, content creators, researchers us...

0· 17·0 current·0 all-time
by@roca-677
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be "HuggingFace"-related in its name/description, but every runtime instruction targets mega-api-prod.nemovideo.ai (a distinct backend). Requiring NEMO_TOKEN is consistent with a nemo-video backend, but the name is misleading. The SKILL frontmatter also lists a config path (~/.config/nemovideo/) that is not consistently represented in the published registry metadata — an inconsistency between declared metadata and the skill content.
Instruction Scope
The SKILL.md instructs the agent to look for NEMO_TOKEN and, if absent, obtain an anonymous token by POSTing to an external endpoint (anonymous-token), then use that token for all API calls. All API calls go to mega-api-prod.nemovideo.ai and require Authorization plus attribution headers. The instructions otherwise stay within the video-generation workflow and do not ask to read unrelated system files, but they do ask the agent to auto-detect platform/install path for an attribution header (which could require reading an install path). The frontmatter references a local config path even though the runtime steps don't clearly read it — this mismatch is notable.
Install Mechanism
Instruction-only skill with no install spec or code files, so nothing is written to disk at install time. This is lower risk from an installation perspective.
Credentials
Only a single credential (NEMO_TOKEN) is declared as required, which is proportionate for a cloud API client. However, the skill will generate and use an anonymous token if no NEMO_TOKEN is present and will transmit tokens to mega-api-prod.nemovideo.ai. The frontmatter's mention of a config path (~/.config/nemovideo/) is inconsistent with registry metadata and with the runtime instructions; that suggests possible uncommunicated file access expectations. Users should understand that providing NEMO_TOKEN or allowing the skill to mint an anonymous token gives the skill the power to interact with the remote service on their behalf.
Persistence & Privilege
The skill does not request always:true and has no install-time persistence. It instructs to keep session_id for in-session operations (expected transient state). There are no instructions to modify other skills or system-wide configs.
What to consider before installing
Key things to consider before installing: - The skill name mentions HuggingFace but all API calls go to mega-api-prod.nemovideo.ai (nemo). Confirm which provider you expect and whether you trust nemovideo.ai to process your files. - The skill requires (or will mint) a NEMO_TOKEN and will send it to the external API on every request. Only supply an existing token if you trust the backend, or let the skill obtain an anonymous token but be aware it conveys rendering usage and possibly file ownership/visibility to that service. - The frontmatter references a local config path (~/.config/nemovideo/) that is not clearly used elsewhere — ask the publisher whether the skill reads or writes local config files before granting filesystem access. - Avoid uploading sensitive or private documents unless you have verified the provider's privacy, retention, and access controls. Treat uploaded files as potentially accessible to the remote service operators. - If you want to test safely: use an ephemeral/limited token, or run interactions with non-sensitive sample files first. Ask the publisher for a privacy/terms link and for clarification about the HuggingFace naming mismatch. - Because the skill is instruction-only, there is no packaged code to review; consider requesting the service's API docs or a publisher contact to increase confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk974q7amx3am8k6fg6wbd74ksx84sjbh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments