ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Seedance Capcut

v1.0.1

create video clips or images into AI-generated videos with this seedance-capcut skill. Works with MP4, MOV, JPG, PNG files up to 500MB. TikTok creators and s...

0· 24·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (AI video creation) align with the instructions (upload files, create sessions, render/export). However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — an internal inconsistency in declared requirements.
!
Instruction Scope
Runtime instructions tell the agent to POST files and messages to https://mega-api-prod.nemovideo.ai, create sessions, stream SSE edits, poll render status, and return download links. That is coherent for a video service, but the skill will upload user media to a third party (privacy risk). The instructions also require adding attribution headers and storing a session_id for subsequent calls. The SKILL.md tells the agent not to display raw API responses or token values, which is unusual but consistent with hiding auth tokens from the user interface.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an installer step in the registry data.
Credentials
Only NEMO_TOKEN is declared as required (primaryEnv). That is proportionate for a service that needs an API bearer token. The skill can also obtain an anonymous token itself via the API if NEMO_TOKEN is not provided. The earlier-mentioned discrepancy (frontmatter configPaths vs registry none) is a small inconsistency to clarify.
Persistence & Privilege
always: false and no install steps; the skill stores an ephemeral session_id for workflow but does not request permanent system-wide privileges. Autonomous invocation is allowed (default) but not in itself a red flag.
What to consider before installing
This skill appears to implement what it claims (AI video creation) and will upload any media you provide to https://mega-api-prod.nemovideo.ai for cloud rendering. Consider the following before installing: 1) Privacy: do not upload sensitive or confidential videos unless you trust the third‑party service; check the service's privacy and retention policies. 2) Token handling: the skill uses a NEMO_TOKEN (or can request an anonymous token); treat any long‑lived token as sensitive. 3) Metadata mismatch: the SKILL.md lists a config path (~/.config/nemovideo/) that the registry does not — ask the publisher to clarify if the skill will read/write that path. 4) Attribution headers: every API call includes skill-identifying headers (tracking/telemetry); be aware this links your usage to this skill ID. 5) Source verification: the skill's source/homepage is unknown — if you need stronger assurance, request a published source or documentation from the owner before use. If you proceed, avoid uploading private content until you confirm the service and publisher policies.

Like a lobster shell, security has layers — review code before you run it.

latestvk975bq8attz9p3w4dd0hm3a4ps84ejmf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments