ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bytedance Video Generator

v1.0.0

generate text prompts or clips into AI-generated videos with this bytedance-video-generator skill. Works with MP4, MOV, WebM, GIF files up to 500MB. TikTok c...

0· 21·0 current·0 all-time
by@tk8544-b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to generate videos via a NemoVideo cloud API and the SKILL.md documents endpoints and workflows that match that purpose. However, the manifest marks NEMO_TOKEN as a required environment variable and declares a config path (~/.config/nemovideo/) even though the instructions show the skill can obtain an anonymous token automatically and do not mention reading/writing the declared config path. That mismatch is unexpected.
Instruction Scope
Runbook steps are scoped to the described cloud service: create/check token, start session, upload media, use SSE/polling, and export. The skill does require detection of an install/platform path to set an attribution header (auto-detect 'clawhub'/'cursor'/etc.), which implies reading the agent install path, but otherwise it does not instruct reading unrelated local files or secrets.
Install Mechanism
This is an instruction-only skill with no install spec or code downloads, so there is no additional install-time risk.
!
Credentials
The registry lists NEMO_TOKEN as required and as primaryEnv, but the SKILL.md explicitly describes obtaining an anonymous NEMO_TOKEN via /api/auth/anonymous-token if none is present. Requiring the env var in metadata while also auto-creating one is inconsistent. The declared config path (~/.config/nemovideo/) is not referenced in the instructions, which is another mismatch. Otherwise, only a single service token is requested, which is reasonable for a cloud API.
Persistence & Privilege
always is false and the skill does not request permanent platform-wide privileges. The instructions say to keep session_id and not to expose tokens; they do not instruct modifying other skills or system-wide config. Potential persistence (where tokens are stored) is not specified.
What to consider before installing
This skill appears to do what it says (upload media and call the NemoVideo API), but there are a couple of oddities you should weigh before installing: 1) the skill metadata claims NEMO_TOKEN is required, but the instructions will create an anonymous token for you if none is present — decide whether you prefer to supply your own token or let the skill obtain a short-lived anonymous token (100 free credits, 7-day expiry). 2) the manifest lists a config path (~/.config/nemovideo/) but the instructions never reference it — ask the author whether the skill reads or writes files there. Also remember that using the skill will send your media (and any prompt text) to mega-api-prod.nemovideo.ai; avoid uploading sensitive content unless you trust that service and its privacy terms. If you want higher confidence, request the skill source or a homepage, and ask the maintainer to: (a) remove the false 'required' env claim if not needed, or explicitly document when a user-supplied NEMO_TOKEN is preferred, and (b) clarify whether tokens or session state are persisted to disk and what is stored under ~/.config/nemovideo/.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cgrbqt07pe3d68bqsqv56ah84fjge

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments