Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Free Text To Video I
v1.0.0convert text prompts into AI-generated videos with this skill. Works with TXT, DOCX, PDF, plain text files up to 500MB. marketers, content creators, educator...
⭐ 0· 23·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description align with its runtime instructions (calls to a nemo video API to render videos). However the manifest declares NEMO_TOKEN as a required/primary credential while the runtime instructions also describe auto-creating an anonymous token if NEMO_TOKEN is missing — this is an inconsistency (either user-supplied token is required or the skill can always obtain one). The SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) but the top-level registry metadata said 'Required config paths: none' — another mismatch.
Instruction Scope
Instructions tell the agent to POST to external endpoints at mega-api-prod.nemovideo.ai, create/store tokens and session IDs, and read the filesystem to detect install path for attribution headers (~/.clawhub, ~/.cursor). They also instruct the agent not to display raw API responses or token values to the user. The combination of auto-generating credentials, storing session/token state, and reading user home-paths expands scope beyond simply forwarding prompts to an API and could lead to sensitive data being written or hidden from the user unless storage location and retention policy are clarified.
Install Mechanism
There is no install spec and no code files — this is instruction-only, which reduces installation risk because nothing is downloaded or written by an installer. Runtime instructions do call external APIs but do not install binaries.
Credentials
The only declared environment credential is NEMO_TOKEN, which is proportionate for an API-backed video service. But the instructions' ability to auto-obtain a token and the instruction to 'store' it raise questions about where credentials will be stored and for how long. The skill requests attribution headers derived from local installation path/file frontmatter, implying additional local reads beyond the declared env var.
Persistence & Privilege
The skill does not request 'always: true' and default autonomous invocation is allowed (normal). However SKILL.md references storing session_id and token and a config path (~/.config/nemovideo/) in its frontmatter, which suggests it may persist credentials/state to disk. The registry's top-level metadata omitted that config path, so it's unclear whether the skill will actually write to disk and where — this should be clarified before install.
What to consider before installing
This skill looks like a legitimate text→video integrator, but there are a few things to check before installing: 1) Confirm how NEMO_TOKEN is expected to be provided — the manifest wants a token but the instructions say the skill will auto-create an anonymous token if none exists. If you prefer to control credentials, provide your own NEMO_TOKEN and ask the author to remove auto-provisioning. 2) Ask where the skill will store the anonymous token/session_id (in-memory only vs written to ~/.config/nemovideo/). If it writes to disk, confirm retention and file permissions. 3) Verify you trust the external domain (mega-api-prod.nemovideo.ai) because the skill will send your data and potentially created tokens there. 4) Be cautious about the instruction to 'don't display raw API responses or token values' — that can hide sensitive values from you; insist the skill log or show at least non-sensitive session indicators. If the author cannot clarify these points, consider treating the skill as untrusted or avoid granting it filesystem or persistent credential access.Like a lobster shell, security has layers — review code before you run it.
latestvk97bm322eryadnvvqh1ys0fzbs84sztz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN