ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Text To Video Jobs

v1.0.0

convert text prompts into AI-generated videos with this skill. Works with TXT, DOCX, PDF, SRT files up to 200MB. content creators and marketers use it for tu...

0· 31·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description map to the runtime instructions: the SKILL.md describes submitting text/files and using an API to produce MP4s. The single declared credential (NEMO_TOKEN) is appropriate for an external rendering API.
Instruction Scope
Instructions stay within the stated task (create/edit/export videos) and describe session, SSE, upload, and polling flows. They instruct the agent to obtain an anonymous token if NEMO_TOKEN is not present and to include attribution headers. The skill will upload user files (up to 200MB) and thus will transmit content to an external third party — expected for this capability but important for privacy.
Install Mechanism
No install spec or code files are present (instruction-only). That limits local persistence and disk writes coming from the skill itself.
!
Credentials
The declared primary env var NEMO_TOKEN is appropriate, but the SKILL.md frontmatter also references a config path (~/.config/nemovideo/) and runtime attribution detection that reads install paths. Registry metadata earlier listed no config paths — this metadata mismatch is inconsistent. The skill will also generate and store/use anonymous tokens (via POST to an external endpoint) if NEMO_TOKEN is not provided, which means credentials may be created/kept at runtime.
Persistence & Privilege
The skill is not always:true and uses normal autonomous invocation. It requests saving session tokens/IDs for job polling (expected). There is no install that forces persistent system-wide changes.
What to consider before installing
This skill appears to do what it says (it sends text/files to an external render service), but note three things before proceeding: (1) The package has no published source or homepage and the API host (mega-api-prod.nemovideo.ai) is an unknown third party — any text or files you upload will be sent off-platform. (2) The SKILL.md can auto-generate an anonymous NEMO_TOKEN if you don't provide one; this will enable the service to accept and process your files. If you care about confidentiality, do not upload sensitive content and consider providing a disposable or scoped token. (3) Registry metadata and the SKILL.md disagree about config paths (the frontmatter references ~/.config/nemovideo/ and install-path checks) — this mismatch is a minor red flag about care taken when publishing. Recommended actions: test with non-sensitive samples, prefer skills with clear vendor info and a homepage, or only use with an account/token that you control and can revoke.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fhd1sft1habkp2rf8a71tyd84t9k9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments