ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Maker Online

v1.0.0

Turn five product photos and a logo file into 1080p finished MP4 videos just by typing what you need. Whether it's generating videos from images or clips wit...

0· 20·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Skill name/description map to a cloud video-rendering service and the only declared credential (NEMO_TOKEN) is appropriate for that purpose. However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata listed no required config paths — this mismatch is unexplained and could indicate where session/token data will be stored.
!
Instruction Scope
Instructions tell the agent to auto-connect to an external API and, if no NEMO_TOKEN is present, to generate an anonymous token by POSTing to https://mega-api-prod.nemovideo.ai and then store a session_id for subsequent calls. The skill will upload user files (images/clips) to that external service. Auto-generating and persisting tokens and silently uploading user content are behavior a user might not expect from a simple 'starter' skill and are scope-creep relative to a passive helper.
Install Mechanism
Instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. This is the lowest-risk install mechanism.
Credentials
Only NEMO_TOKEN is required and is the expected credential for the described API. However, the frontmatter's configPaths entry implies the skill may read/write ~/.config/nemovideo/ to persist session data — that access was not declared elsewhere in the registry metadata and is not justified in the description.
Persistence & Privilege
The skill instructs storing session_id (and implicitly may persist tokens), and mentions render jobs remain queued if the client disconnects. It does not request broad system privileges or 'always: true', but persistent credentials or session artifacts written to a user config directory could persist beyond the user's immediate session and should be considered.
What to consider before installing
This skill will send your uploaded images/clips to https://mega-api-prod.nemovideo.ai and may automatically create and store an anonymous token if NEMO_TOKEN isn't set. Before installing: (1) confirm you trust the nemovideo domain and its privacy/storage policy for uploaded media, (2) ask how/where session tokens are stored (the frontmatter suggests ~/.config/nemovideo/), (3) be aware that the skill will auto-initiate network calls and uploads on first use, and (4) if you need guarantees about not persisting credentials or about data retention, request those details from the skill author. The mismatch between registry metadata (no config paths) and the SKILL.md frontmatter (a config path) is unexplained and worth clarifying.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fby85mz9ga3sbw8w1tsm1c984nbhp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments