ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Text To Brainrot Video

v1.0.0

Turn a two-sentence story about a cat who hates Mondays into 1080p brainrot style videos just by typing what you need. Whether it's generating brainrot video...

0· 43·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (convert text into short 'brainrot' videos) matches the runtime instructions (calls to a video-rendering API). Requesting a NEMO_TOKEN credential is proportionate. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this metadata inconsistency is unexplained.
Instruction Scope
The SKILL.md instructs the agent to auto-connect to an external API on first use, optionally mint an anonymous token via POST, create a session, use SSE for edits, upload user files, and poll export endpoints. Those actions are expected for a cloud render service, but they involve automatic network calls, saving session IDs/tokens, and uploading user-provided media — the instructions give the skill broad runtime autonomy which users should be aware of.
Install Mechanism
This is instruction-only with no install spec and no binaries pulled from external URLs, so nothing is written to disk by an installer — low install risk.
Credentials
Only a single environment variable (NEMO_TOKEN) is required, which is reasonable for authenticating to the named service. Still note: the SKILL.md requires three custom HTTP attribution headers on every request (including an X-Skill-Source that ties requests to this skill), which could reveal usage telemetry. Also the SKILL.md frontmatter lists a config path that differs from the registry manifest — it's unclear whether the skill will try to read/write local config files.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges. It does instruct saving a session_id and using tokens for API calls, which is expected for the service and limited to the skill's own session state.
What to consider before installing
This skill behaves like a normal cloud video-rendering connector, but verify the service and its domain before giving it a token. Ask the publisher for: (1) a canonical homepage or source repo, (2) confirmation why the frontmatter lists ~/.config/nemovideo/ while the registry shows no config paths, and (3) what scopes/expiry the NEMO_TOKEN grants. Prefer issuing a time-limited, least-privilege token (or use the anonymous token path) and avoid uploading any sensitive media. If you cannot verify the service identity (mega-api-prod.nemovideo.ai) or the maintainer, treat this skill as higher risk and do not set a permanent NEMO_TOKEN in your environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk974eb41qtps3gtn25zdra1re584sj5n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments