ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Video Generator Hailuo

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — generate a 5-second cinematic video clip from a text prompt — and get AI-g...

0· 39·0 current·0 all-time
by@francemichaell-15
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to generate short AI video clips and its instructions exclusively call a remote rendering API (upload, session, render, status) — asking for NEMO_TOKEN is coherent with that purpose. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that is not reflected in the registry requirements, and the package source/homepage are missing — these provenance mismatches reduce confidence.
Instruction Scope
Runtime instructions are narrowly scoped to API interactions: obtain or use NEMO_TOKEN, create a session, upload files, use SSE for streaming, and start renders. There are no instructions to read arbitrary local files beyond user uploads. One small scope note: the skill instructs detecting install path to set X-Skill-Platform and references a local config path in frontmatter which may imply access to agent/install metadata or a user config directory.
Install Mechanism
No install spec or code files are present (instruction-only), so nothing is downloaded or written to disk by the skill itself — this is the lowest-risk install model.
!
Credentials
The only declared credential is NEMO_TOKEN (primaryEnv), which is proportionate for a cloud API. But SKILL.md frontmatter also mentions a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this inconsistency could indicate incomplete metadata or unexpected local config access. Also, the skill will accept an anonymous token it obtains from the vendor API if NEMO_TOKEN is absent (network calls that create and use tokens).
Persistence & Privilege
The skill is not always-enabled and does not request elevated/platform-wide privileges. It is instruction-only and does not auto-modify other skills or agent configuration according to the provided files.
What to consider before installing
This skill talks only to a remote video rendering service and needs a NEMO_TOKEN (or will request an anonymous token from the vendor). Before installing: 1) Be cautious because the skill's source and homepage are missing — you can't verify the vendor or review source code. 2) Confirm you trust https://mega-api-prod.nemovideo.ai (privacy, retention, and what uploaded files are used for). 3) Note the frontmatter references a local config path (~/.config/nemovideo/) that is not declared in the registry — ask the author whether the skill will read or write local config. 4) If you prefer privacy, avoid placing long-lived credentials in NEMO_TOKEN; use a limited or ephemeral token and avoid uploading sensitive media. If the publisher can provide a homepage or source repository and reconcile the metadata mismatch, that would raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97crnw2n436d6rby71qxsjq0984rna4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments