ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lecture Video Maker

v1.0.0

Describe your lecture and NemoVideo creates the video. University courses, professional training sessions, conference talks — combine your slides, whiteboard...

0· 81·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the SKILL.md consistently describe a remote NemoVideo service (mega-api-prod.nemovideo.ai) that produces lecture videos — requiring an API token and a client_id stored under ~/.config/nemovideo/ is coherent with that purpose. However, the registry metadata at the top of the package claims no required env vars or config paths while the embedded SKILL.md declares NEMO_TOKEN and a config path; this metadata mismatch is an incoherence that should be resolved.
Instruction Scope
Runtime instructions are explicit: greet user, check/use NEMO_TOKEN, read-or-generate ~/.config/nemovideo/client_id, call the service's anonymous-token endpoint via curl, and create sessions. These steps stay within the scope of connecting to the remote video API. Important: the skill will transmit user content (video, slides, prompts) to an external API — the SKILL.md implies uploading user material to mega-api-prod.nemovideo.ai but does not describe privacy/retention or consent handling. No instructions ask the agent to read unrelated files or other credentials.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes disk footprint and install-time risk.
!
Credentials
The SKILL.md requires NEMO_TOKEN and a config path (~/.config/nemovideo/) and designates NEMO_TOKEN as primaryEnv — this is reasonable for an API-backed skill. However, the registry metadata contradicts that by listing no required env/config; the mismatch is unexplained. The skill will also create and persist a client_id locally and may store an anonymous token in-session; users should be aware that credentials/tokens will be created and stored under their home config directory.
Persistence & Privilege
The skill does write a client_id file under ~/.config/nemovideo/ and may store a session token for the session, but it does not request always:true, system-wide changes, or access to other skills or unrelated config paths. Its write scope is limited to a single per-user config directory.
What to consider before installing
Before enabling this skill: (1) Resolve the metadata mismatch — ask the publisher why the registry lists no env/config when SKILL.md requires NEMO_TOKEN and ~/.config/nemovideo/. (2) Understand privacy: this skill will transmit your lecture content (videos, slides, prompts) to mega-api-prod.nemovideo.ai; confirm the service's data retention, access, and sharing policies on nemovideo.com or the listed repository. (3) Token handling: the skill may create a client_id file and request an anonymous token; ensure you are comfortable storing those under ~/.config/nemovideo/ and that the agent will not persist unrelated secrets. (4) Verify the homepage/repository (the SKILL.md points to a GitHub repo) and prefer installing only if the upstream project and privacy posture are trustworthy. (5) If you handle sensitive or proprietary materials, test in a sandbox account or with non-sensitive content first and consider revoking any tokens after testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aefzz01657kbc4tfjg870w183szgs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments