ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Generator Free Online

v1.0.0

content creators, small business owners, students generate text or images into ready-to-share videos using this skill. Accepts MP4, MOV, PNG, JPG up to 200MB...

0· 57·0 current·0 all-time
by@susan4731-wilfordf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description describe an online AI video generator and the skill only needs a service token and upload capability — that matches the stated purpose. However, the metadata declares a required config path (~/.config/nemovideo/) that is not used or explained in the runtime instructions, and the skill marks NEMO_TOKEN as required even though the SKILL.md describes obtaining an anonymous token if it's absent. These are small but unexplained mismatches.
Instruction Scope
SKILL.md instructs the agent to: read its own YAML frontmatter, detect install path, use NEMO_TOKEN if present (or obtain an anonymous token via a POST), create sessions, upload user files (multipart or URL), use SSE endpoints, poll render status, and return download URLs. Those actions are coherent with producing cloud-rendered videos. The instructions do hide technical details from chat and require the agent to perform network calls and file uploads (user files). The only scope creep is the platform-detection via local path checks and the unexplained configPath in metadata.
Install Mechanism
This is an instruction-only skill with no install specification and no code files, so nothing is written to disk by an installer. That is the lowest-risk install mechanism.
Credentials
The skill declares a single primary credential NEMO_TOKEN, which is appropriate for a third‑party API. But the SKILL.md also provides a fallback flow to obtain an anonymous token (so requiring NEMO_TOKEN as mandatory is inconsistent). The metadata also lists a config path (~/.config/nemovideo/) that the runtime instructions do not justify — requesting access to a user config folder without explanation is disproportionate.
Persistence & Privilege
always:false and no install-time changes or cross-skill configuration are requested. The skill can be invoked by the model (normal behavior) and there is no 'always: true' or other elevated persistence.
What to consider before installing
This skill behaves like a cloud video-rendering client: it will make network requests to https://mega-api-prod.nemovideo.ai, upload any files you provide, and use a NEMO_TOKEN (or fetch an anonymous token) to create sessions and render videos. Before installing: (1) Decide whether you trust the external service and its privacy policy — do not upload sensitive or proprietary media if you are unsure. (2) Prefer providing a scoped/ephemeral NEMO_TOKEN rather than a long-lived secret. (3) Note the metadata lists ~/.config/nemovideo/ (not referenced in runtime steps) — ask the publisher why the skill needs that local config access or remove the requirement. (4) Remember the agent will perform network actions and may hide technical details from chat; if you want to audit activity, avoid installing or restrict the skill to non-sensitive tasks.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cdg42y66wg2j6ktwvnzkcf984j531

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments