ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Music Video Generator

v1.0.0

Get synced music videos ready to post, without touching a single slider. Upload your audio files, images (MP3, WAV, JPG, PNG, up to 500MB), say something lik...

0· 9·0 current·0 all-time
by@linmillsd7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the actions in SKILL.md: it calls a remote API to create beat-synced videos and requires a single API token (NEMO_TOKEN). However the package has no homepage or source URL and the registry owner is unknown, which reduces confidence in the backend's trustworthiness.
!
Instruction Scope
The instructions explicitly send user audio/images to an external API (mega-api-prod.nemovideo.ai) and require Authorization: Bearer <NEMO_TOKEN>. That is expected for a cloud-rendering skill, but it means all uploaded media and generated drafts are transmitted off-device. The SKILL.md also asks the agent to 'auto-detect' an install path to set an attribution header (X-Skill-Platform), which implies reading local install paths; this filesystem probing is not justified by the stated task and is not declared in requires/configPaths. The frontmatter also lists a config path (~/.config/nemovideo/) but the runtime instructions never explain reading it; this mismatch is a possible scope creep or sloppy metadata.
Install Mechanism
Instruction-only skill with no install spec or code files — nothing will be downloaded or written to disk by an installer. This is the lowest-risk install model.
Credentials
Only one credential is required (NEMO_TOKEN), which is appropriate for a hosted API. The metadata also lists a config path (~/.config/nemovideo/); its purpose isn't explained in the instructions, so the presence of that path in metadata is inconsistent and worth questioning.
Persistence & Privilege
The skill is not always-enabled and allows normal model invocation. It does not request system-wide privileges or attempt to modify other skills. No persistent install behavior is declared.
What to consider before installing
This skill will upload your audio and images to a third-party service (mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN (or will obtain an anonymous token). Before installing or using it: (1) confirm who runs the megavideo/nemovideo domain (no homepage or repo is provided here), (2) consider privacy — your media will be transmitted and processed off-device; don't upload sensitive files, (3) prefer using a short-lived/anonymous token rather than a long-lived secret if possible, (4) ask the publisher for a privacy/data-retention policy and token scope, and (5) question the unexplained metadata (the declared config path and the instruction to auto-detect an install path) — request clarification why the skill needs to read local install paths or config directories. If you can't verify the operator or data practices, avoid providing permanent credentials or sensitive media.

Like a lobster shell, security has layers — review code before you run it.

latestvk970043vr5zk362j67q6k2zmex853vdq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments