Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Best Motion Video Skill
v1.0.0Turn a 30-second product demo clip into 1080p motion-enhanced videos just by typing what you need. Whether it's adding professional motion effects to raw vid...
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (cloud AI video motion enhancement) aligns with the APIs and flows described in SKILL.md. However, the registry lists NEMO_TOKEN as a required environment variable while the SKILL.md explicitly describes automatically obtaining an anonymous token if NEMO_TOKEN is not set. Also the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) but the registry metadata reported no required config paths — these mismatches suggest the declared requirements do not fully reflect the runtime behavior.
Instruction Scope
The instructions direct the agent to interact with an external service (mega-api-prod.nemovideo.ai): create sessions, upload user video files, stream SSE chat, poll render status, and store session IDs. That behavior is expected for this purpose, but the SKILL.md also mandates hiding raw API responses and not displaying token values, and it instructs storing session state (no clear, explicit guidance where to persist it). The file-level metadata requires attribution headers and an auto-detection of platform from install path (which implies reading agent environment/install paths). The SKILL.md references a config path (~/.config/nemovideo/) that could be used for persistence although the registry listed none — reading/writing that path is scope creep unless justified.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes on-disk install risk; the runtime behavior is purely outbound API calls described in the SKILL.md.
Credentials
Only one credential (NEMO_TOKEN) is declared — which is proportionate — but the skill both declares it required and documents a flow to obtain an anonymous token automatically if it's missing. This contradiction is important: the agent may create and store credentials on the user's behalf. In addition, SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that the registry did not declare; if the skill reads/writes that directory it may persist tokens or session state beyond a single run. No other unrelated secrets are requested.
Persistence & Privilege
always is false and the skill can be invoked normally. The only persistence implied is storing session_id (and possibly the anonymous token) and the SKILL.md frontmatter suggests a config path for persistence. This is not inherently malicious, but the registry omission of the config path and the token auto-creation behavior increase the risk that the skill will create persistent credentials or files without clear user consent.
What to consider before installing
This skill appears to implement a legitimate cloud video render flow, but there are inconsistencies you should resolve before installing: (1) The registry claims NEMO_TOKEN is required, yet the skill will auto-generate an anonymous token if none is provided — ask the publisher which behavior is intended and whether tokens the agent creates are stored persistently. (2) SKILL.md mentions a config path (~/.config/nemovideo/) but the registry omitted it — confirm whether the skill will read/write that directory and what it will store. (3) The backend domain (mega-api-prod.nemovideo.ai) and the skill source are unknown — request the skill source or an official homepage and a privacy/TOS link. Until clarified, avoid giving the skill long-lived or privileged credentials; prefer providing a scoped/ephemeral token if you must test. If you proceed, monitor network calls, restrict the agent's outbound access where possible, and inspect any files written under ~/.config/ for unexpected data.Like a lobster shell, security has layers — review code before you run it.
latestvk971d22dnn313vyas2rcnkdqmx84q62n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN