ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Downloader

v1.0.0

convert video URL link into downloaded MP4 files with this skill. Works with MP4, WebM, MOV, AVI files up to 500MB. content creators, students, marketers use...

0· 15·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (download online videos to MP4) lines up with the runtime instructions that call a remote API to render and return downloads. However metadata in SKILL.md references a config path (~/.config/nemovideo/) and runtime behavior that infers the agent's install path for attribution headers; the registry metadata for the skill declared no required config paths. This mismatch is unexpected but could be benign (metadata drift).
Instruction Scope
All runtime instructions are focused on the declared backend (mega-api-prod.nemovideo.ai): authentication, session creation, upload, SSE chat, export/polling. The skill instructs the agent to auto-obtain and persist an anonymous token and to detect the agent's install path to populate X-Skill-Platform. That implies filesystem access (to infer install path) and persistent storage of session IDs/tokens — both are within scope for a network-backed downloader but should be explicit. The instruction to 'Don't display raw API responses or token values' is unusual (conceals troubleshooting data) and worth noting.
Install Mechanism
Instruction-only skill with no install spec or downloaded code — lowest install risk. Nothing on-disk is mandated by an installer in the manifest.
!
Credentials
The only declared required env var is NEMO_TOKEN (primary credential), which is proportional for calling the backend. But the SKILL.md both treats NEMO_TOKEN as required and provides a fallback to auto-generate an anonymous token via an API call if it's missing. That contradiction (required vs auto-provisioned) is inconsistent. Metadata also lists a config path (~/.config/nemovideo/) that the top-level registry said was not required. Requiring or creating tokens automatically is reasonable functionally, but users should understand that video URLs and any uploaded files will be sent to the third-party domain and that credentials (even short-lived anonymous tokens) will be created/stored.
Persistence & Privilege
The skill is not force-enabled (always:false) and does not request elevation or global config changes. It does instruct storing session_id and using tokens across requests — typical for a remote API client. No instructions to modify other skills or system-wide settings were found.
What to consider before installing
This skill is mostly coherent with its stated purpose (cloud-based video rendering/downloading), but take these precautions before installing or using it: - Domain & provenance: There is no homepage or known publisher; network calls go to mega-api-prod.nemovideo.ai. Verify the service operator and privacy policy before sending links or uploading files. - Token behavior: The skill requires NEMO_TOKEN but will also auto-generate an anonymous token via an API call. If you care about data or billing separation, prefer providing a token you control or avoid using the skill while investigating the backend. - Data disclosure: Uploaded videos, URLs, and any metadata are sent to a third party. Don’t use this skill for sensitive or private videos unless you trust the endpoint. - File-system detection: The skill asks the agent to detect install path (X-Skill-Platform) and references a config path in metadata — this implies filesystem access. If you need strict containment, block filesystem reads or avoid enabling the skill. - Troubleshooting opacity: The instruction to hide raw API responses/tokens can make debugging harder; expect less visible error detail. If you still want to try it: test with non-sensitive, public videos first, confirm where data goes, and consider revoking or rotating any tokens after use. If you need higher assurance, ask the publisher for a privacy policy, source code, or a well-known host (GitHub) for the backend/service.

Like a lobster shell, security has layers — review code before you run it.

latestvk973emww54j8697ryq3y9hjz7x84q6eg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⬇️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments