Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Text To Video Editor
v1.0.0Skip the learning curve of professional editing software. Describe what you want — turn this script into a 30-second video with visuals and background music...
⭐ 0· 49·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description (text→video rendering) align with the only declared credential (NEMO_TOKEN). However, the SKILL.md metadata includes a required config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — an inconsistency. Also the instructions expect to emit an X-Skill-Platform header derived from an install path (~/.clawhub/, ~/.cursor/skills/) even though this skill has no install spec; that implies the skill may read filesystem paths not declared in the registry metadata.
Instruction Scope
Runtime instructions are mostly limited to interacting with the remote nemovideo.ai API (auth, session creation, SSE, upload, export). This is expected for a cloud rendering skill. Concerning points: (1) the skill tells the agent to automatically POST for an anonymous token if NEMO_TOKEN is unset (it also instructs to not show raw token values to the user), giving the agent discretion to obtain and manage credentials; (2) it says to "store the returned session_id for all subsequent requests" but doesn't specify where or how (memory vs disk vs agent config); (3) header construction requires detecting an install path which may cause the agent to check filesystem locations. None of these are proof of malice but they are ambiguous and expand what the agent may read/store.
Install Mechanism
No install spec and no code files — instruction-only. This is the lowest-risk install mechanism (nothing is downloaded or extracted).
Credentials
Only NEMO_TOKEN is required, which is proportionate to a third-party video rendering API. Still, the skill's ability to mint anonymous tokens on the user's behalf and the unclear guidance about session token persistence increase the risk of credential leakage or unintended long-lived tokens. The SKILL.md metadata referencing a config path (~/.config/nemovideo/) that could contain credentials is also inconsistent with the registry manifest and should be clarified.
Persistence & Privilege
always:false and no install steps — the skill does not request permanent, forced inclusion. It does instruct keeping a session_id for the life of the session and notes that closing a tab may orphan jobs, but it does not request elevated system privileges or modifications to other skills' configs.
What to consider before installing
This skill appears to be what it says (a cloud text→video editor) and only asks for the service token it needs, but there are a few unclear points you should consider before installing or enabling it: 1) Source is unknown — verify the provider (nemovideo.ai) and whether you trust it with uploaded script files (uploads can include sensitive text and media). 2) The skill will either use NEMO_TOKEN from your environment or automatically request an anonymous token on your behalf; decide whether you want the agent to mint tokens silently or provide a token yourself. 3) Ask where session_id and tokens are saved: in-memory is safer than writing to disk/config folders; confirm the agent will not persist tokens in user config. 4) The SKILL.md references reading install paths to set an X-Skill-Platform header — confirm the agent will not scan unrelated filesystem locations. 5) If you plan to upload sensitive files, restrict autonomous invocation or require explicit user approval each time. If you need higher assurance, request the skill author to (a) remove ambiguous filesystem access, (b) document exactly where tokens/session IDs are stored, and (c) publish a verifiable source/homepage before using it with real data.Like a lobster shell, security has layers — review code before you run it.
latestvk9776zk8q0qb5mfrs7hwzcg4h584qxxk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN