Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tutorial Video Maker
v1.0.5Turn any screen recording, demo footage, or plain text description into a polished instructional video through simple chat commands. The AI breaks your conte...
⭐ 0· 286·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (create/edit tutorial videos via Nemovideo) matches the network calls and upload flows in SKILL.md and the declared config path (~/.config/nemovideo/). However the registry metadata declares NEMO_TOKEN as a required env var while the SKILL.md explicitly supports auto-generating an anonymous token if NEMO_TOKEN is absent — this mismatch is unexplained and could affect how credentials are provided. Overall capability aligns with purpose, but the env/credential handling is inconsistent.
Instruction Scope
The SKILL.md instructs the agent to make many curl-based HTTP requests (session creation, SSE, uploads, credits, state queries) and to read/write ~/.config/nemovideo/client_id. Those actions are consistent with a cloud video service but they do involve network transfer of user files and local persistence of a client_id and session token. The instructions do not attempt to read unrelated system files, but they do direct data to an external API (mega-api-prod.nemovideo.ai), which is expected for this skill but important to note.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is installed to disk by the skill itself. That reduces install-time risk. However, the runtime instructions rely on curl (and possibly uuidgen), which are not declared as required binaries in the registry metadata — see cross-dimension inconsistency.
Credentials
The registry lists a single required env var (NEMO_TOKEN) and designates it as the primary credential. SKILL.md, however, treats NEMO_TOKEN as optional (auto-generates an anonymous token when missing) and references additional optional env vars (NEMO_API_URL, NEMO_WEB_URL, NEMO_CLIENT_ID, SKILL_SOURCE) that are not declared in requires.env. This mismatch and the instruction to 'store the returned token as NEMO_TOKEN' (potentially persisting credentials for the session) merit caution: the skill will contact an external service and may persist identifiers/tokens locally.
Persistence & Privilege
The skill will read from and write to a per-user config path (~/.config/nemovideo/client_id) to persist a client identifier, which is declared in metadata. 'always' is false and it does not request elevated system-wide privileges or modification of other skills. Persisting a client_id and temporarily storing session tokens is reasonable for this use case but is a persistence behavior you should be aware of.
What to consider before installing
What to consider before installing: (1) This skill will send video/audio files and metadata to an external API (mega-api-prod.nemovideo.ai / nemovideo.com). Only proceed if you trust that service and its privacy/TOS. (2) The SKILL.md runs curl commands (network I/O) and will create ~/.config/nemovideo/client_id — verify you're comfortable with a persisted client ID and session token behaviour. (3) The registry metadata and SKILL.md disagree about NEMO_TOKEN (required vs auto-generated) and the skill does not declare curl as a required binary; clarify how you should supply credentials and whether anonymous tokens are acceptable. (4) If you want to limit risk, prefer using ephemeral tokens, test with non-sensitive videos, and inspect network traffic or the service's repo/homepage (https://nemovideo.com, github link in manifest) before granting access.Like a lobster shell, security has layers — review code before you run it.
latestvk976tx4ytgc2c05w6ev9mkpsw184an01
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
ð¬ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN