ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Audio Generator

v1.0.0

Cloud-based ai-audio-generator tool that handles generating voiceovers for video content. Upload TXT, DOCX, PDF, MP4 files (up to 200MB), describe what you n...

0· 16·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions (cloud-based voiceover/video renders). The only declared credential is NEMO_TOKEN, which is appropriate. However the SKILL.md frontmatter references a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch is unexplained and should be clarified.
!
Instruction Scope
Runtime instructions require contacting an external API (mega-api-prod.nemovideo.ai), creating sessions, uploading user files, and polling renders — all expected for this service. Concerns: (1) If NEMO_TOKEN is absent the skill automatically requests an anonymous token and is instructed to 'store' the token/session_id for subsequent requests without specifying safe storage or retention policy. (2) The SKILL.md tells the agent not to display raw API responses or token values to the user, which reduces transparency. (3) It asks to auto-detect platform via 'install path' (X-Skill-Platform) but is vague about how to read that, leaving room for broad filesystem queries. These behaviors expand the agent's discretion and data retention without clear limits.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest installation risk. No downloads or extracted archives are requested.
Credentials
Only NEMO_TOKEN is declared as a required env var, which is consistent with a cloud API integration. However the skill can obtain an anonymous token itself via the external API if the env var is not set; this means it does not strictly require user-provided credentials and will cause network requests and token storage. The frontmatter's config path reference appears disproportionate unless the skill actually reads or writes that directory — that behavior is not documented.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform-wide privileges. It does instruct storing session tokens for reuse but does not request modifying other skills or system-wide settings.
What to consider before installing
This skill appears to be a cloud service frontend that will upload your files and talk to https://mega-api-prod.nemovideo.ai. Before installing, consider: (1) Are you comfortable sending your scripts/media to an external service? Avoid uploading sensitive or proprietary content. (2) Ask the publisher how and where the anonymous NEMO_TOKEN and session_id will be stored and for how long; prefer a workflow that uses a user-provided token if you want control. (3) Confirm why the SKILL.md mentions ~/.config/nemovideo/ (the registry said no config paths); if the skill reads/writes that directory, understand what data is stored. (4) Verify the external domain and privacy/retention policy for rendered content. If any of these answers are unclear, treat the skill cautiously or test it with non-sensitive data only.

Like a lobster shell, security has layers — review code before you run it.

latestvk977nqt6ss9b1fkbh5a8kf2ych84kzcq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎙️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments