Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Maker Invitation Free
v1.0.0Get invitation video MP4 ready to post, without touching a single slider. Upload your images or clips (MP4, MOV, JPG, PNG, up to 200MB), say something like "...
⭐ 0· 38·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to create/export invitation videos via a cloud backend and all API endpoints in SKILL.md reflect that purpose. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch is unexplained and could cause the agent to attempt reading a local config directory it doesn't need. Otherwise the single declared env var (NEMO_TOKEN) aligns with the described cloud service.
Instruction Scope
Instructions are focused on creating sessions, uploading media, streaming SSE events, polling render jobs, and returning download URLs — all consistent with a cloud video render service. They do include guidance to use multipart uploads with local file paths (e.g., files=@/path) which implies the agent may reference file paths; in practice the agent should only upload files the user provides in-chat. The skill also instructs generating anonymous tokens and performing network requests to the external API (mega-api-prod.nemovideo.ai), which is expected for this service.
Install Mechanism
No install spec or code files are present (instruction-only skill), so nothing will be written to disk by an installer. This is the lowest-risk install model for static code installation.
Credentials
The skill declares a single primary credential NEMO_TOKEN, which is proportionate for a third-party video API. However, SKILL.md also documents an anonymous-token flow that can obtain a NEMO_TOKEN by POSTing to the service if none is present — meaning the token is optional in practice. That makes the registry's requirement of NEMO_TOKEN inconsistent with runtime behavior. The frontmatter's configPaths entry is also unnecessary for normal cloud usage and raises questions about whether the agent will try to read local config files.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistent presence. It does keep ephemeral session IDs/tokens for render jobs (normal for this use-case). There is no instruction to modify other skills or system-wide settings.
What to consider before installing
This skill will upload any images/video you hand it to a third-party service at mega-api-prod.nemovideo.ai and return a downloadable MP4; verify you trust that domain and do not submit private or sensitive media unless you accept that. Note the registry says NEMO_TOKEN is required but the instructions show an anonymous-token flow that obtains its own token — if you set NEMO_TOKEN in your environment you may be giving the skill access to your account, so only set it if you trust the service. The SKILL.md frontmatter also references ~/.config/nemovideo/, which is inconsistent with the registry — ask the publisher why the skill might read that local path. No installer code was included (instruction-only), and no static scan findings were produced, but that only means there was nothing for the scanner to analyze; it does not guarantee safety. If you need higher assurance, request the skill's homepage/source, ask the author to explain the configPath/token inconsistency, and confirm the privacy/retention policy for uploaded media before using it.Like a lobster shell, security has layers — review code before you run it.
latestvk97akkjpv3d882kajpeaqf6p9584scgb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎉 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN