Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Music Video Generator From Lyrics
v1.0.0musicians and independent artists generate lyrics text into synced music videos using this skill. Accepts TXT, DOCX, PDF, SRT up to 10MB, renders on cloud GP...
⭐ 0· 20·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description (turning lyrics into synced music videos) align with the SKILL.md instructions: it uploads files, opens a session, sends SSE generation messages, and requests renders from a cloud API (mega-api-prod.nemovideo.ai). Requesting a service token (NEMO_TOKEN) and performing HTTP calls to a rendering backend is expected.
Instruction Scope
The instructions are detailed and primarily limited to interacting with the external nemovideo API (auth, session creation, uploads, SSE, render start/poll). They instruct using an env NEMO_TOKEN or obtaining an anonymous token via an API call. A few ambiguous or odd items: the frontmatter requires a local config path (~/.config/nemovideo/) but the runtime text does not show explicit reads of that path; attribution headers include an auto-detected X-Skill-Platform value derived from 'install path' (ambiguous for an instruction-only skill); and the documentation tells the agent to "keep technical details out of the chat," which instructs hiding implementation details from the user. These are not proof of maliciousness but are worth clarifying.
Install Mechanism
There is no install spec and no code files (instruction-only). That minimizes on-disk code execution risk because nothing is downloaded or written at install time.
Credentials
The declared required environment variable is a single NEMO_TOKEN, which is proportionate for a cloud API. However, the SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch is inconsistent and could imply accessing local config files (tokens or cached data) without that being clearly declared. Only one secret is requested, but the mismatch should be clarified before trusting long-lived credentials.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. Autonomous invocation (model-invocation) is allowed (default), which is normal for skills. There is no installation step that writes to global config or other skills' settings.
What to consider before installing
This skill appears to do what it claims (call a cloud API to render videos) but comes from an unknown source and has a metadata inconsistency about a config path. Before using it: 1) Do not provide long-lived or highly privileged credentials—use a throwaway/anonymous token if possible. 2) Avoid uploading sensitive or unreleased audio/lyrics until you verify the service's privacy/terms. 3) Ask the publisher for a homepage, privacy policy, and confirmation whether the skill reads ~/.config/nemovideo/ (the registry metadata and frontmatter conflict). 4) If you proceed, prefer a sandboxed environment, monitor outgoing network requests to mega-api-prod.nemovideo.ai, and revoke any tokens after use. If the publisher cannot clarify provenance and the config-path discrepancy, treat the skill as higher risk.Like a lobster shell, security has layers — review code before you run it.
latestvk9731r7wryr6kqvf5vbtm0sbm584je9s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN