Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Generator Ai
v1.0.2video-generator-ai is a ClawHub skill that transforms text prompts, scripts, and asset inputs into fully rendered video content through a conversational inte...
⭐ 0· 65·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description match the runtime instructions (calls to nemovideo API, upload/export flows). Requesting a NEMO_TOKEN credential and contacting mega-api-prod.nemovideo.ai is coherent for a video-generation integration. However, the repository/registry metadata at the top (no required config paths) contradicts the SKILL.md metadata which declares ~/.config/nemovideo/ as a config path. That mismatch is unexplained and worth flagging.
Instruction Scope
SKILL.md instructs reading/writing ~/.config/nemovideo/client_id (persisting a UUID) and performing many API calls (session creation, upload, export). It will transmit user prompts and uploaded assets to nemovideo servers — appropriate for the stated purpose but potentially sensitive. There are contradictory statements in the doc about whether NEMO_TOKEN is required (top-level registry lists it required; the table in SKILL.md marks it 'No'). This ambiguity could lead to unexpected behavior (anonymous token flow vs. using a long-lived token).
Install Mechanism
No install spec and no code files (instruction-only) — lowest install risk. Nothing is being downloaded or extracted by an installer.
Credentials
The only declared credential is NEMO_TOKEN (primaryEnv), which is appropriate for an external API. SKILL.md also references optional NEMO_CLIENT_ID and SKILL_SOURCE; it persists a client_id file. The number and type of env vars are proportional, but the earlier-mentioned contradictions about whether NEMO_TOKEN is required should be resolved before trusting behavior.
Persistence & Privilege
always:false (normal). The skill will write ~/.config/nemovideo/client_id to persist a client identifier; this file contains a UUID only (per the doc). Writing a small config file in the user's home is reasonable for rate-limiting reasons, but it is persistent filesystem activity and should be disclosed to users.
What to consider before installing
What to consider before installing:
- The skill will send your prompts, uploaded files, and export requests to nemovideo's API (mega-api-prod.nemovideo.ai). If your content is sensitive, do not upload it without reviewing NemoVideo's privacy/security policies.
- The skill persists a client_id at ~/.config/nemovideo/client_id. This is claimed to be a non-secret UUID, but it is written to disk — be aware of local persistence.
- There is an inconsistency in the package metadata vs. SKILL.md: the registry header says no required config paths, but SKILL.md lists ~/.config/nemovideo/ and the environment-token field is ambiguous (SKILL.md table marks NEMO_TOKEN optional while registry lists it required). Ask the publisher to clarify whether NEMO_TOKEN is required and what exactly is stored locally.
- If you want to try safely, create an account/token with limited/burner credits or use the anonymous token flow described (which expires in 7 days) rather than exposing a long-lived production API key.
- Because this is an instruction-only skill, there is no local installer risk, but the agent will perform network calls autonomously. Only install if you trust nemovideo.com and are comfortable with your data leaving your machine for processing.
- If anything is unclear (token scope, data retention, export URLs), contact the skill author or NemoVideo support before enabling the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk9782wfj8hsqkp42r80272b1g183rcb9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN