ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Video Generator In Ai

v1.0.0

generate text or images into AI-generated videos with this skill. Works with MP4, MOV, JPG, PNG files up to 200MB. content creators, marketers, students use...

0· 12·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (AI video generation) matches the runtime instructions: calls to a single external video-rendering API, upload endpoints, render/export flows, and one service token (NEMO_TOKEN). No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md instructs the agent to obtain or use NEMO_TOKEN, create sessions, upload user files (multipart or by URL), stream SSE events, poll render status, and include attribution headers. These actions are expected for a remote video-rendering integration. The doc asks the agent not to display raw API responses or token values to users and to 'store' session_id/token for subsequent calls — this is reasonable for usability but reduces transparency and raises modest concern about how tokens are persisted and shown to the user.
Install Mechanism
Instruction-only skill with no install spec or code files. Low install risk: nothing is downloaded or written by an install step in the registry metadata.
Credentials
Only one environment credential is declared (NEMO_TOKEN), which is proportionate for a 3rd-party API. Minor incoherence: registry lists NEMO_TOKEN as a required env var, yet the instructions include an automatic anonymous-token POST to obtain a token if none is present. The frontmatter also mentions a config path (~/.config/nemovideo/) while the registry metadata earlier indicated no required config paths — another small mismatch.
Persistence & Privilege
Skill does not request always: true, nor system-level privileges. It requires storing a session_id/token for API calls (normal for a remote service), but there is no instruction to modify other skills or global agent configs.
What to consider before installing
This skill appears to be a straightforward connector to an external video-rendering service and only needs one token (NEMO_TOKEN). Before installing: 1) Be aware uploads (video/images/audio) will be sent to https://mega-api-prod.nemovideo.ai — do not send sensitive or personally identifiable content unless you trust that service and its privacy policy. 2) The skill will obtain/store an anonymous token automatically if you don't provide one; if you prefer control, supply your own NEMO_TOKEN instead of letting the skill fetch it. 3) There are small metadata mismatches (declared config-path vs registry, required env var vs auto-generation) — this looks like sloppy packaging rather than malicious behavior, but you should confirm how/where tokens and session IDs are stored and whether the UI ever displays them. 4) If you need higher assurance, ask the publisher for a privacy/security statement and for the service's domain ownership or public documentation before using it in production or with sensitive content.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ak9hfgxe03csmmgart2304s84s8fd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments