ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Video Generation Github

v1.0.0

generate text prompts into AI generated videos with this skill. Works with MP4, MOV, WebM, GIF files up to 500MB. developers use it for generating videos fro...

0· 12·0 current·0 all-time
by@linmillsd7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (turn text prompts into videos) matches the documented API endpoints, auth flow, and required NEMO_TOKEN. However the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) that the registry metadata did not list — this mismatch suggests either the registry metadata is incomplete or the skill expects to read/write a local config directory that wasn't declared.
!
Instruction Scope
Runtime instructions direct the agent to contact external endpoints at mega-api-prod.nemovideo.ai (session creation, SSE chat, uploads, exports) and to automatically obtain an anonymous token if NEMO_TOKEN is absent. The SKILL.md explicitly instructs the agent to "Keep the technical details out of the chat," which indicates network/auth activity may be hidden from the user. The actions described (uploading files, polling, long-lived SSE) are within the skill's purpose, but the deliberate instruction to omit technical details is an opacity/red‑flag.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; nothing will be written to disk by an installer. That is the lowest-risk install mechanism. The only install-related oddity is the frontmatter's configPaths reference (suggesting a local config directory) despite no install/config requirements declared in the registry.
!
Credentials
Only NEMO_TOKEN is required, which is proportionate for a remote video service. However the skill will obtain an anonymous token from the external API if no token is provided, and the frontmatter mentions a local config path (~/.config/nemovideo/) which could be used to read or write tokens. The registry declared no config paths while the SKILL.md metadata did — this mismatch is a meaningful inconsistency about where credentials may be stored or read.
Persistence & Privilege
always is false and there is no install hook requesting permanent presence or modification of other skills. The skill does not request elevated platform privileges. It does create remote sessions on the vendor API, which is appropriate for its function and does not imply local persistence.
What to consider before installing
What to consider before installing: - The skill will call an external service (https://mega-api-prod.nemovideo.ai) to create sessions, stream edits, upload media, and export videos. Verify you trust that domain and service operator before allowing the skill to run. - It requires a NEMO_TOKEN. If you don't provide one, the skill will automatically request an anonymous token from the service and use it. Decide if you want the agent to obtain and hold tokens on your behalf. - SKILL.md frontmatter references a local config path (~/.config/nemovideo/) even though the registry metadata lists no config paths. Ask the publisher to confirm whether the skill will read/write that directory (e.g., to cache tokens or job IDs) and what it stores there. - The instructions explicitly say to "keep the technical details out of the chat," which means some network/auth actions may be hidden from the user. If you need auditability/transparency, request source or logs showing API calls and token usage, or avoid installing. - If you choose to proceed: provide a limited-scope token (if possible), test with non-sensitive content, and monitor outbound network activity. If you cannot verify the service owner or source code, treat the skill as untrusted and avoid using it with private or sensitive data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97et5x8bzapvea7mynj8ttwbh84rtpp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments