ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jewelry Video Maker

v1.0.5

Turn raw clips and photos of your jewelry into polished, scroll-stopping product videos ready for Instagram, Etsy, TikTok, or your online store. This jewelry...

0· 74·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to send footage to a cloud rendering backend and the instructions require a single NEMO_TOKEN credential and call the nemovideo API—this is proportionate to the stated purpose. Minor inconsistency: the registry metadata listed no config paths, but the SKILL.md frontmatter references a config path (~/.config/nemovideo/) which suggests the skill may also look for local config files; the mismatch is unexplained but not critical.
Instruction Scope
Instructions are focused on creating/using a session token, uploading media, sending SSE messages, checking credits, and exporting renders — all expected for a cloud video service. Important runtime behaviors: it will (a) look for NEMO_TOKEN in environment, (b) if absent call an anonymous-token endpoint to obtain a temporary token, (c) upload user media (multipart file/path or URL) to the external API, and (d) read install path heuristics to set an X-Skill-Platform header. The skill does not ask for unrelated system data or other credentials, but it will transmit user media and metadata to an external domain.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That minimizes install-time risk.
Credentials
Only one credential is declared (NEMO_TOKEN) which aligns with the cloud API usage. The skill also documents a fallback anonymous-token flow so it can obtain a token if none is present (100 free credits, 7-day expiry). The frontmatter references a local config path (~/.config/nemovideo/) and install-path detection; those accesses are plausible for attribution but the registry metadata did not list them, which is an inconsistency to be aware of.
Persistence & Privilege
The skill is not always-enabled, does not request system-wide privileges, and does not modify other skills. It operates as an autonomous, user-invocable skill by default (normal).
Assessment
This skill will upload your photos and video clips to an external service (mega-api-prod.nemovideo.ai) for cloud processing and will use or obtain a NEMO_TOKEN to authenticate. Before installing or using it, consider: (1) Do you trust this external service to handle your media? Verify ownership, privacy policy, and retention/deletion guarantees. (2) If you already have a NEMO_TOKEN, prefer supplying a token you control; otherwise the skill may generate an anonymous token with limited credits. (3) The SKILL.md references a local config path and checks install paths for attribution—if you prefer to avoid any local-path reads, ask the skill author for clarification. (4) Avoid uploading sensitive or private imagery unless you have confirmed the service’s policies. If you want higher assurance, request the skill source, a public homepage, or the API provider's documentation before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk978qd72798ka6hg4paa436m4x84a2hs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💍 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments