Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Grok Ai Video Generator
v1.0.4The grok-ai-video-generator skill on ClawHub lets you produce, remix, and refine video content through natural conversation with Grok's reasoning engine. Des...
⭐ 0· 87·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill’s name and SKILL.md describe video creation/editing via nemovideo.ai and the declared primary credential (NEMO_TOKEN) and endpoints align with that purpose. However, registry metadata (Required env vars: NEMO_TOKEN; Required config paths: none) conflicts with the SKILL.md which declares NEMO_TOKEN optional (auto-generated anonymous token flow) and explicitly lists ~/.config/nemovideo/ as a config path. This metadata mismatch is inconsistent and deserves confirmation from the publisher.
Instruction Scope
Instructions are explicit: check/use NEMO_TOKEN, read or create ~/.config/nemovideo/client_id, call the external API (mega-api-prod.nemovideo.ai) including an anonymous-token endpoint, create sessions, handle uploads/exports, and use SSE for streaming operations. These actions are coherent for a cloud video service. Important scope notes: the skill will upload user-provided video files to a third-party API and will read/write the client_id file in the user's home directory.
Install Mechanism
No install spec and no code files — the skill is instruction-only, so nothing will be downloaded or written at install time beyond what the agent does at runtime (the client_id file). This is the lowest install-risk category.
Credentials
Registry metadata requires NEMO_TOKEN, but SKILL.md documents an anonymous-token flow and marks NEMO_TOKEN as not required (auto-generated), and also lists other optional environment variables (NEMO_API_URL, NEMO_WEB_URL, NEMO_CLIENT_ID). The mismatch between declared required env vars and the skill's own instructions is inconsistent. The skill will obtain or use tokens (NEMO_TOKEN) and may set them for the session — users should confirm whether tokens are persisted to disk or only kept in-memory. Only one service credential is requested (proportionate), but ensure you trust the external service before sending sensitive media.
Persistence & Privilege
always:false (normal). The only persistent action is writing/reading ~/.config/nemovideo/client_id (a UUID) to avoid re-generating client IDs; this is reasonable for rate-limit avoidance. The skill does not request elevated or system-wide privileges, but it will persist a client_id in the user's home directory and contacts an external API.
What to consider before installing
This skill appears to be a legitimate front-end for nemovideo.ai, but there are metadata inconsistencies and it will send your video files to an external API and write a client_id file to ~/.config/nemovideo/. Before installing: 1) Confirm the publisher/source (registry lists source as unknown though SKILL.md includes a GitHub repo and homepage). 2) Decide whether you're comfortable uploading potentially sensitive videos to nemovideo.ai and review their privacy/TOS. 3) If you prefer not to provide a long-lived token, rely on the anonymous-token flow but note the skill may store the client_id on disk; verify it does not persist your NEMO_TOKEN. 4) If you need higher assurance, request the skill's code or inspect the referenced GitHub repo to confirm no hidden behaviors, or create an isolated nemovideo account and limited token for use with this skill. 5) If anything about the required env vars or config paths is unclear, ask the publisher to reconcile the registry metadata and SKILL.md before use.Like a lobster shell, security has layers — review code before you run it.
latestvk972c0kznj8jsf3caz9nc1xyvn83qk8g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN