ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Music Generator Free Ab Old

v1.0.1

Get 1080p MP4 files from your video clips using this ai-music-generator-free tool. It runs AI music generation on cloud GPUs, so your machine does zero heavy...

0· 49·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to generate AI background music for videos and only requests a NEMO_TOKEN credential, which matches that purpose. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reports no required config paths — this mismatch is incoherent and worth verifying.
Instruction Scope
Runtime instructions are an API-driven workflow: obtain or use NEMO_TOKEN, create a session, upload files, stream SSEs, and request renders. These actions are within scope for the stated purpose. Minor scope- creeping items: the instructions tell the agent to read the skill's frontmatter (for attribution/version) and to detect install path to set X-Skill-Platform — those require the agent to inspect filesystem/install locations. The skill does not instruct reading unrelated system files or other environment variables.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is low-risk from an install standpoint (nothing is written to disk by an installer).
Credentials
The single required credential (NEMO_TOKEN) is proportional to a cloud API integration. The anonymous-token flow is described so the skill can operate without a pre-set token, which is reasonable. The earlier-mentioned config path in the SKILL.md (not present in registry metadata) should be clarified — it suggests the skill may look for local nemovideo config files, which is not explained and may broaden data access.
Persistence & Privilege
The skill does not request always:true and does not instruct modifications to other skills or system-wide settings. It asks the agent to save session_id for session operations, which is normal for a session-based API.
Assessment
This skill generally behaves like a cloud-based AI video/music service and only needs a single service token (NEMO_TOKEN). Before installing: (1) verify the external domain (mega-api-prod.nemovideo.ai) and confirm you trust that service and its data-retention/privacy policies; (2) clarify the config-path discrepancy (SKILL.md mentions ~/.config/nemovideo/) — ask whether the skill will try to read local nemovideo config files; (3) avoid placing sensitive videos or secrets into an account you don't control; (4) prefer using the anonymous-token flow or a disposable account/token rather than your primary credentials; and (5) if you need stronger assurance, request the publisher/source or a signed endpoint/manifest — absence of source/homepage increases uncertainty.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aep0jfgfrckmkp26xvgs82d84fak7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments