ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Generator Free

v1.0.4

Create professional videos from text and prompts for free with AI — generate complete video content from descriptions, scripts, ideas, and briefs without exp...

0· 139·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description and homepage indicate a text-to-video service (NemoVideo). Requesting a service token (NEMO_TOKEN) is consistent with calling a third‑party API to generate videos.
Instruction Scope
The SKILL.md excerpt is primarily marketing and use-case examples; no explicit runtime commands or data-access steps are visible in the truncated content. The embedded metadata references a config path (~/.config/nemovideo/), but the visible docs do not show how the token or files are read/written. The full SKILL.md should be checked for any instructions that read arbitrary local files, environment variables, or send data to endpoints other than the NemoVideo API.
Install Mechanism
No install spec and no code files (instruction-only). This is the lowest-risk install model because nothing is written to disk by an install step. Runtime behavior still matters, but there is no package download or archive to inspect.
!
Credentials
Registry metadata shows an unusual inconsistency: 'required env vars' is empty while a primary credential NEMO_TOKEN is declared, and the SKILL.md metadata lists a config path (~/.config/nemovideo/). That mismatch is unexplained. A single API token for the service would be reasonable, but you should confirm what NEMO_TOKEN scopes are and why it isn't listed in requires.env, and whether the skill will store or read persistent credentials from the config path.
Persistence & Privilege
The skill is not always-enabled (always: false). Autonomous invocation is allowed (the platform default). The metadata's config path suggests the skill may read/write ~/.config/nemovideo/ to persist tokens or settings — that's reasonable for an API client but should be confirmed and limited to the skill's own config directory.
What to consider before installing
This skill appears to be a straightforward wrapper for NemoVideo, but there are unexplained metadata mismatches that you should clear up before installing. Ask the publisher to: 1) provide the full SKILL.md/runtime instructions so you can confirm it only calls the NemoVideo API and does not read arbitrary local files or environment variables; 2) explain why NEMO_TOKEN is declared as the primary credential but not listed in required env vars, and show the token's scope and lifetime; 3) confirm what the skill does with ~/.config/nemovideo/ (read/write only for local token/storage?). If you decide to proceed, use a least-privilege/test token (not your primary account token), review network activity to confirm calls go to nemovideo.com/API endpoints, and avoid giving highly privileged or multi-service credentials. If the publisher cannot explain the inconsistencies or provide the full runtime instructions, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk974zpj1vaze040jz375gqk6rd83t7h8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
Primary envNEMO_TOKEN

Comments