ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Text To Video Ai Generator

v1.0.0

Cloud-based free-text-to-video-ai-generator tool that handles generating videos from written text or scripts. Upload TXT, DOCX, PDF, plain text files (up to...

0· 58·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the instructions: the skill calls a cloud API to create videos from text and requires a NEMO_TOKEN for that API. However, the SKILL.md frontmatter declares a required config path (~/.config/nemovideo/) while the registry metadata shows no required config paths — an incoherence that should be clarified. Source/homepage are absent, so the backend domain and ownership cannot be independently verified.
Instruction Scope
Runtime instructions are specific and constrained to the described service: obtain (or create) a token, create a session, send SSE messages, upload user files (multipart or URL), poll rendering status, and download results. These instructions do require the agent to read the skill's own frontmatter and detect install path to populate attribution headers, and to access any local file paths the user asks to upload. The skill does not instruct the agent to read unrelated system files or arbitrary secrets, but the upload capability means user-provided files can be transmitted to the remote API.
Install Mechanism
No install spec and no code files (instruction-only), which reduces disk-write risk. However, the skill has no verifiable source or homepage and points at a single API host (mega-api-prod.nemovideo.ai) — lack of provenance increases risk because you cannot audit the backend or confirm operator identity.
Credentials
Only one required environment variable is declared (NEMO_TOKEN), which is proportional for a cloud API client. The SKILL.md allows creating an anonymous token if none is present. The inconsistency between the SKILL.md frontmatter (which lists a config path) and the registry metadata (which lists none) is a discrepancy to resolve — the config path could grant access to local credentials if used, so its presence in one place but not the other is concerning.
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation. It does not request elevated platform privileges. Be aware that autonomous invocation plus network access means the agent could call the remote API without further prompts, but that is standard for skills that implement cloud services.
What to consider before installing
This skill appears to do what it says (text→video) and only needs a single API token, but there are a few red flags: no source/homepage to verify the vendor, and a mismatch in metadata about a local config path (~/.config/nemovideo/) which could indicate sloppy packaging or an attempt to access local config. Before installing: (1) ask the publisher for a homepage, privacy policy, and API ownership info; (2) do not store sensitive credentials in NEMO_TOKEN — use a limited/ephemeral token if possible; (3) avoid uploading sensitive local files since the skill will send any user-specified file to the remote API; (4) if you proceed, monitor network activity and rotate any tokens after use. If the publisher cannot justify the missing metadata or provenance, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk976xsvtg3stkj349ywddraw3184kjgw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments