Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Kling Ai Video Generator
v1.0.0Get AI-generated videos ready to post, without touching a single slider. Upload your text or images (JPG, PNG, WEBP, MP4, up to 200MB), say something like "g...
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the runtime instructions: the SKILL.md describes uploading media, creating sessions, streaming SSE, rendering and downloading MP4s from a cloud API (mega-api-prod.nemovideo.ai). Requesting a NEMO_TOKEN for API access is expected for this purpose. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) and logic to detect install path for an X-Skill-Platform header while the registry metadata provided earlier said no config paths—this mismatch is unexplained.
Instruction Scope
The instructions explicitly call external endpoints, upload user files, stream SSE, and create sessions (expected). Concerns: (1) SKILL.md claims to derive an X-Skill-Platform value by inspecting install paths (e.g., ~/.clawhub/) which implies the agent may look at filesystem/install location; (2) the frontmatter includes a config path (~/.config/nemovideo/) suggesting potential read/write of local config, but the registry metadata did not declare config paths. Also the registry lists NEMO_TOKEN as required, while SKILL.md says an anonymous-token flow can be used if the env var is missing—this contradiction affects how credentials are handled at runtime.
Install Mechanism
Instruction-only skill with no install spec and no code files. Lowest install risk: nothing is downloaded or written by an installer step itself. Runtime will make HTTP calls to the backend, which is expected for a cloud service.
Credentials
Only NEMO_TOKEN is declared as required and is plausibly necessary. But SKILL.md indicates the token is optional (anonymous-token endpoint provides a 7-day free token), so the registry's 'required env var' claim is inconsistent. The skill requests no other credentials, which is proportional, but the contradiction about whether a permanent token is needed should be resolved before trusting a long-lived secret.
Persistence & Privilege
The skill does not request always:true or elevated platform-wide privileges. It appears to operate per-session and uses server-side rendering; no instructions explicitly require modifying other skills or agent config. The presence of a config path in frontmatter suggests it might persist a token/session locally, but there are no explicit instructions to do so.
What to consider before installing
This skill appears to contact a third‑party video generation API and needs a NEMO_TOKEN to authenticate, but the SKILL.md also documents an anonymous-token fallback and references a local config path and 'install path' detection. Before installing or providing a permanent NEMO_TOKEN you should: (1) confirm whether the token is truly required or whether the skill will default to short‑lived anonymous tokens; (2) ask the publisher where tokens/sessions are stored (does it write to ~/.config/nemovideo/?); (3) verify the backend hostname (mega-api-prod.nemovideo.ai) and privacy policy—uploads will be transmitted to that service; (4) prefer using a scoped/ephemeral token or account with minimal permissions if possible; and (5) request clarification or a source/homepage so you can inspect code. The main red flags are metadata/instruction mismatches (declared required env var vs. anonymous flow, and configPaths present in SKILL.md but not in registry). If you cannot get satisfactory answers, consider not providing a long-lived secret.Like a lobster shell, security has layers — review code before you run it.
latestvk97evs90gea21gzkq60dm7gaz584q5gn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN