ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Create Video With Ai Free

v1.0.0

Cloud-based create-video-with-ai-free tool that handles generating videos from images or clips without editing software. Upload MP4, MOV, JPG, PNG files (up...

0· 20·0 current·0 all-time
by@susan4731-wilfordf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with requiring a token and calling a remote render API (uploads, session, export). However the frontmatter asks the agent to detect install path and read this file's YAML frontmatter at runtime (to populate X-Skill-Platform and X-Skill-Version). That filesystem access is not strictly necessary for video rendering and is an unexpected additional capability. Also registry metadata earlier indicated no config paths, while the frontmatter lists ~/.config/nemovideo/ — an inconsistency.
!
Instruction Scope
SKILL.md explicitly instructs network calls to mega-api-prod.nemovideo.ai for auth, SSE chat, upload, export, etc. It also tells the agent to read its own SKILL.md frontmatter and inspect install paths (~/.clawhub, ~/.cursor/skills/) to set attribution headers. Those instructions require reading local files/paths and transmitting user-uploaded media to a third-party server. Uploading private media is expected for this service but is a privacy risk; filesystem inspection for install-path detection is scope creep and should be deliberate and justified.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest installation risk (nothing will be written to disk by an installer).
Credentials
Only a single credential (NEMO_TOKEN) is declared as required, which is proportionate for a cloud API. But SKILL.md also references a config path in its frontmatter (~/.config/nemovideo/) even though the surrounding registry metadata listed no config paths — this mismatch should be clarified. The skill will also attempt to create an anonymous token if NEMO_TOKEN is missing (network call), which is acceptable but means the agent may transmit a generated client UUID to the service.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent inclusion or special platform-wide privileges.
What to consider before installing
This skill appears to be a legitimate cloud video-generation integrator, but before installing consider: (1) It will upload whatever media you provide to mega-api-prod.nemovideo.ai — do not send sensitive/private assets unless you trust that service and its privacy policy. (2) The instructions ask the agent to read the skill's frontmatter and detect install paths (~/.clawhub, ~/.cursor/skills/) to populate attribution headers; that requires local filesystem access — confirm you are comfortable with the agent reading those paths. (3) There is a metadata mismatch: registry metadata shows no configPaths but the SKILL.md frontmatter lists ~/.config/nemovideo/ — ask the publisher to clarify. (4) If you do not supply NEMO_TOKEN, the skill will request an anonymous token by POSTing a generated UUID; review that interaction. If you need stronger assurance, request the maintainer's homepage/owner info, verify the API domain reputation, or restrict use to non-sensitive media only.

Like a lobster shell, security has layers — review code before you run it.

latestvk979hs3by8bjqfer0qc0rv3wr584kgvs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments