ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Maker Free Canva

v1.0.0

Get finished MP4 video ready to post, without touching a single slider. Upload your images or clips (MP4, MOV, JPG, PNG, up to 200MB), say something like "tu...

0· 36·0 current·0 all-time
by@roca-677
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description and required credential (NEMO_TOKEN) align with a cloud video-rendering service. However the SKILL.md metadata lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths—this inconsistency is unexplained. The skill has no homepage or known publisher, reducing provenance.
!
Instruction Scope
Runtime instructions make direct network calls to a third-party API (mega-api-prod.nemovideo.ai) to mint anonymous tokens and run render jobs, which is expected for this kind of service. But the skill explicitly instructs the agent to 'Don't display raw API responses or token values to the user', which is unusual (it hides server responses/tokens) and increases risk of opaque behavior or token misuse. It also instructs the agent to read YAML frontmatter and detect install paths (~/.clawhub, ~/.cursor/skills) — reading those locations is narrow but should be disclosed. Overall the actions are within a renderer's domain but include hiding of internal data and an unexplained configPath.
Install Mechanism
Instruction-only skill with no install spec, no code files, and no downloads. This minimizes disk-write/remote code execution risk; network calls are the main surface.
Credentials
The primaryEnv NEMO_TOKEN is appropriate for a cloud API. However SKILL.md metadata's optional configPaths (~/.config/nemovideo/) is not declared in the registry-level required config paths, creating a mismatch and raising the question why local config access would be needed for a cloud render-only skill.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It instructs the agent to store a session_id for requests but does not request persistent system-level changes or other skills' configs.
What to consider before installing
This skill behaves like a cloud video-renderer and only needs a NEMO_TOKEN, which fits its purpose — but proceed cautiously because: (1) the SKILL.md asks the agent to auto-generate anonymous tokens and to hide raw API responses/tokens from the user, which is unusual and reduces transparency; (2) SKILL.md mentions reading a local config path (~/.config/nemovideo/) that isn't declared elsewhere; and (3) the skill has no homepage or known publisher. Before installing: verify the service/domain (mega-api-prod.nemovideo.ai) and developer reputation, prefer providing your own NEMO_TOKEN instead of allowing anonymous-token creation if you want control, don't upload sensitive media you wouldn't want sent to an external service, and ask the publisher to explain the configPath and the reason for hiding API responses. If you need higher assurance, request a homepage/privacy policy or an explanation of data retention and token handling from the author.

Like a lobster shell, security has layers — review code before you run it.

latestvk972y2djvg11867pq4jazqrzf984rwqt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments