ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

How To Add Music To Video

v1.3.1

Learn how-to-add-music-to-video using ClawHub's conversational AI skill. Drop in your footage, name a track or upload an audio file, and the OpenClaw agent h...

0· 110·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (adding music to video) align with the declared primary credential (NEMO_TOKEN) and the API domain (mega-api-prod.nemovideo.ai). This is coherent: a cloud service token is expected for remote video/audio processing. However, registry metadata lists no config paths while the SKILL.md explicitly declares and uses ~/.config/nemovideo/ (client_id), so the declared surface doesn't fully match the runtime instructions.
Instruction Scope
SKILL.md instructs the agent to greet users, accept uploads, parse/modify video/audio, call the Nemovideo API (curl to mega-api-prod.nemovideo.ai), and read/write ~/.config/nemovideo/client_id. The actions are within the skill's stated purpose (network calls to the service, persisting a client ID). There is no instruction to access unrelated files or other credentials. The only scope inconsistency: the file I/O path is used but not declared in the registry metadata.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. The skill relies on outbound HTTPS calls (curl examples) to the vendor API; nothing is downloaded or written beyond the client_id persistence the skill describes.
Credentials
The skill asks for a single service token (NEMO_TOKEN), which is appropriate for a remote media-processing service. SKILL.md, however, says NEMO_TOKEN is optional and will be auto-generated via an anonymous-token endpoint if absent, whereas registry metadata lists NEMO_TOKEN as required. That discrepancy should be resolved so you know whether a token (and its privileges) will be provided automatically or must be supplied.
Persistence & Privilege
always is false (normal). The skill persists only its own client_id to ~/.config/nemovideo/client_id (a UUID, not a secret) to avoid rate limits; it does not request system-wide changes or other skills' configs. The agent will make network calls to the vendor API, which is expected for this functionality.
What to consider before installing
What to check before installing: (1) Confirm the skill's source (homepage and repository) are legitimate and trustworthy; inspect the vendor's privacy/terms for uploaded media handling. (2) Decide whether you want the agent to auto-generate an anonymous token — if not, create and supply your own NEMO_TOKEN so you control the credential. (3) Be aware the skill will write ~/.config/nemovideo/client_id (a UUID) and make outbound HTTPS calls to mega-api-prod.nemovideo.ai; if you need to restrict network access or protect sensitive footage, do not install or run in an isolated environment. (4) Ask the author to fix the metadata mismatch (registry-required env/config vs SKILL.md behavior) so you know exactly what will be required and persisted. If you want, provide the homepage/repo URLs to a security-savvy colleague or verify them manually before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dyvjby1ksb6cec9tca97z9183w9s1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments