ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Maker Free Music

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — create a video and add free background music that fits the mood — and get...

0· 37·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (cloud video creation + free music) align with the runtime instructions: uploading media and calling a remote render API at mega-api-prod.nemovideo.ai. Requiring a single service token (NEMO_TOKEN) is proportionate. Minor inconsistency: the SKILL.md frontmatter declares a configPaths entry (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch should be clarified.
Instruction Scope
The SKILL.md explicitly instructs the agent to obtain/use NEMO_TOKEN (or generate an anonymous token via POST), create sessions, upload files, read SSE streams, and include attribution headers. These actions are consistent with a remote editing service. It also instructs the agent to read this file's YAML frontmatter and to detect install path for X-Skill-Platform — reading the skill file and the agent's install path is expected for attribution but expands file-system access beyond pure network calls. The instructions do not ask for unrelated system files or other credentials.
Install Mechanism
No install spec and no code files (instruction-only) — minimal disk/write risk. All runtime behavior is via HTTP to the specified API endpoints.
Credentials
Only one environment variable is required: NEMO_TOKEN (declared as primaryEnv). That is appropriate for a third-party API. However, the SKILL.md metadata's mention of a config path (~/.config/nemovideo/) is not reflected in the registry's required config paths — this raises a question about whether the skill will access local config files unexpectedly. Also the skill offers to mint anonymous tokens; consider whether those tokens are persisted or transmitted to other systems.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The skill instructs saving session_id for session management (expected). There is no indication it requests permanent elevated privileges or modifies other skills or system-wide agent settings.
What to consider before installing
What to check before installing: - Verify the external domain (mega-api-prod.nemovideo.ai) and the service's reputation/privacy policy before handing it any token or uploading media. - Confirm what NEMO_TOKEN represents and whether it is a short-lived anonymous token or a long-lived API key; avoid putting sensitive long-lived credentials into a skill you don't fully trust. - Ask the publisher to explain the metadata mismatch: SKILL.md declares a config path (~/.config/nemovideo/) but the registry shows none. Clarify whether the skill will read files from that directory or persist tokens there. - Expect that media files will be uploaded to the remote service; do not upload content you don't want transmitted externally. - Because this is an instruction-only skill with no origin/homepage listed, prefer to use it only if you trust the source or after performing further verification (e.g., test with non-sensitive media and monitor outbound calls).

Like a lobster shell, security has layers — review code before you run it.

latestvk973b34kvsvha1zv3wfpw02jw184r8n3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments