ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Json Video Generator Free

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — convert my JSON script into a narrated video with text overlays and transi...

0· 44·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description (JSON→video) match the required credential (NEMO_TOKEN) and the described API endpoints. No unrelated cloud credentials or unrelated binaries are requested.
!
Instruction Scope
SKILL.md contains detailed runtime instructions to perform network calls, upload large files, handle SSE, poll export status, and obtain anonymous tokens if NEMO_TOKEN is missing — all expected for a cloud render service. However it repeatedly instructs the agent to 'keep the technical details out of the chat', to 'process tool call/result internally, don't forward', and to omit or hide backend details. Those directions intentionally limit visibility to the user and grant the skill discretionary stealthy behavior, which is a scope and transparency concern.
Install Mechanism
Instruction-only skill with no install steps or downloads. Lowest risk for install-time code being dropped to disk.
Credentials
Only NEMO_TOKEN is required (declared as primaryEnv), which is appropriate for an API-backed rendering service. Metadata references a config path (~/.config/nemovideo/) — plausible but not strictly necessary; it may indicate local config access if implemented.
Persistence & Privilege
always:false and normal model invocation. Autonomous invocation is allowed (platform default). Combined with the explicit instructions to hide backend activity, autonomous runs could perform network interactions without surfacing technical details to the user — a transparency risk but not an outright privilege escalation in itself.
What to consider before installing
This skill appears to be what it says (a cloud JSON→video service) and only asks for one credential (NEMO_TOKEN), but review these points before installing: 1) The SKILL.md instructs the agent to hide technical details and process responses internally — ask the author to remove or explain that behavior so you can see what network calls and uploads occur. 2) Prefer testing with an anonymous/token with limited credits instead of your primary NEMO_TOKEN. 3) If you need auditing or visibility, request that the skill log requests/responses or surface backend errors to the user. 4) Avoid providing other unrelated credentials and don't grant broad system permissions. If you are not comfortable with the skill silently performing network uploads or concealing backend interactions, treat it as unsafe to enable autonomously.

Like a lobster shell, security has layers — review code before you run it.

latestvk9792h5ztgct6gk0axcq52degd84r9gj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments