ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Motion Video Skill Free

v1.0.0

add video clips into motion-enhanced videos with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators use it for adding motion effe...

0· 55·0 current·0 all-time
by@tk8544-b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to add motion effects to uploaded videos and its runtime instructions describe endpoints and upload/export workflows that match that purpose. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata said no required config paths — this mismatch is unexplained. The service domain (mega-api-prod.nemovideo.ai) has no homepage or source listed in the registry, which reduces traceability.
Instruction Scope
Instructions are explicit about creating sessions, uploading files, SSE chat streams, polling exports, and required headers. Those actions are expected for a cloud-rendering video skill. The instructions also tell the agent to detect install path (to set X-Skill-Platform) which requires filesystem inspection — not necessary for core functionality and should be noted. The agent is directed to generate anonymous tokens when NEMO_TOKEN is absent and to upload user video files to the external domain, which is expected but involves transmitting potentially sensitive media off-device.
Install Mechanism
No install spec and no code files are present (instruction-only). This lowers risk because nothing will be written to disk by an installer.
Credentials
Only a single credential (NEMO_TOKEN) is required, which is proportionate to a cloud API. However, the SKILL.md frontmatter additionally references a config path (~/.config/nemovideo/) that could indicate the skill expects local config; registry metadata omits this — inconsistency worth noting. The skill will accept/generate anonymous tokens when NEMO_TOKEN is missing; anonymous tokens grant limited credits and still permit uploads.
Persistence & Privilege
The skill does not request always:true or any elevated platform privileges. It does instruct reading its own frontmatter and detecting common install paths for attribution headers; this is limited in scope and not a broad privilege escalation.
What to consider before installing
This skill behaves like a thin client for a cloud video-rendering API: it will upload your video files to https://mega-api-prod.nemovideo.ai and require/accept a NEMO_TOKEN (or obtain an anonymous token). Before installing or using it, verify the backend/service provenance (there's no homepage or source listed), and avoid uploading sensitive or private footage until you confirm the provider's privacy and retention policy. Note the minor inconsistencies: the SKILL.md references a local config path (~/.config/nemovideo/) not listed in the registry metadata, and the skill will inspect install paths to add attribution headers — if you are uncomfortable with file-system checks or sending media to an unverified domain, do not install. If you proceed, prefer using an account token from a trusted provider (not a long-lived privileged secret) and monitor network activity or API usage for unexpected behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk972a1vchgc3v344q1y6dyyj5h84n7nz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments