ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Music To Video

v1.0.0

Get music-synced video ready to post, without touching a single slider. Upload your audio files (MP3, WAV, AAC, FLAC, up to 200MB), say something like "turn...

0· 55·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes exactly the network calls needed to upload audio and request server-side rendering on nemoVideo's API, which aligns with the 'music to video' purpose. However, metadata declares NEMO_TOKEN as required/primary even though the instructions include an anonymous-token flow (creating a token if none is present). The metadata also lists a config path (~/.config/nemovideo/) that the instructions never reference.
Instruction Scope
Instructions are explicit about contacting mega-api-prod.nemovideo.ai endpoints, uploading files, using SSE, and returning URLs — all relevant to the stated task. They do not instruct reading unrelated local files or secrets. Minor scope creep: headers require an 'X-Skill-Platform' value derived by 'auto-detect: ... from install path' which is ambiguous for an instruction-only skill with no install step and could imply probing install paths or filesystem metadata.
Install Mechanism
There is no install spec and no code files: the skill is instruction-only, so nothing is written to disk by an installer. This is the lowest-risk install mechanism.
Credentials
Only a single credential (NEMO_TOKEN) is declared which is proportionate to a cloud rendering service. But the SKILL.md provides an anonymous-token acquisition flow if NEMO_TOKEN is missing — inconsistent with declaring the token as required. NEMO_TOKEN is a bearer token for the service and would grant the skill full API access tied to that token, so handing over a long-lived token has real privilege implications.
Persistence & Privilege
always:false and default invocation settings are used. The skill does not request persistent/always-on privileges nor does it instruct modifying other skills or system-wide agent configs.
What to consider before installing
This skill appears to do what it says (upload audio to nemovideo.ai and request server-side rendering) and is instruction-only (no installer). However: 1) the metadata marks NEMO_TOKEN as required but the skill can create an anonymous token itself — don't be surprised if you aren't asked for a user token. 2) If you supply a real NEMO_TOKEN, that bearer token will grant API access to your account; only provide it if you trust the nemoVideo service and the skill owner. 3) The metadata references a config path and 'auto-detect' of an install path for a header — these are inconsistent for an instruction-only skill and could indicate sloppy metadata or unclear behavior. 4) The skill uploads your audio to a remote service; avoid uploading sensitive or private audio unless you accept the service's privacy policy. Recommended actions before installing: confirm the service domain is correct (mega-api-prod.nemovideo.ai), prefer the anonymous flow or short-lived/limited tokens if possible, and ask the publisher (owner ID unknown) for a privacy/terms link if you need assurance. If you require high assurance, do not provide long-lived credentials and request more details or a trustworthy homepage/privacy policy first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97821n6f8pwajkcxd810m550584m4qe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments