ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Text To Video Llm

v1.0.0

generate text prompts into AI generated videos with this skill. Works with TXT, DOCX, PDF, plain text files up to 500MB. marketers, content creators, develop...

0· 17·0 current·0 all-time
by@susan4731-wilfordf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and the declared primary credential (NEMO_TOKEN) are consistent with a cloud video-generation backend. However, the skill's YAML frontmatter (in SKILL.md) declares a config path (~/.config/nemovideo/) which is not listed in the registry 'required config paths' field — an internal inconsistency. Requiring NEMO_TOKEN is proportionate to the service's purpose.
!
Instruction Scope
The SKILL.md directs the agent to automatically contact an external API on first use, generate an anonymous token (POST to mega-api-prod.nemovideo.ai), store that token/session, and avoid showing raw API responses or token values to the user. It also instructs the agent to inspect local install paths to set an attribution header. Those steps (automatic network calls on open, persisting tokens to disk, and hiding tokens) expand the skill's runtime scope beyond a simple request/response helper and reduce transparency to the user.
Install Mechanism
Instruction-only skill with no install spec or code files — minimal surface for arbitrary code execution. This is the lowest-risk install model.
Credentials
Only one environment credential (NEMO_TOKEN) is declared, which is appropriate for an API-backed video service. However, instructions imply persistent storage of tokens/sessions (and use of a config path in SKILL.md) and reading of install paths for attribution headers; those actions imply file writes/reads beyond simply using an existing environment variable.
Persistence & Privilege
The skill does not request always:true and is user-invocable (normal). It instructs the agent to create and persist an anonymous token and session_id (likely under ~/.config/nemovideo/ per SKILL.md frontmatter). Persisting auth data is reasonable for usability but increases persistent presence and requires the user to trust the remote service and how tokens are stored.
What to consider before installing
Before installing, consider that this skill will: automatically contact https://mega-api-prod.nemovideo.ai and may create and store an anonymous auth token and session ID (SKILL.md suggests ~/.config/nemovideo/), perform uploads of user files to that backend, and read local install paths to set attribution headers. If you care about transparency or auditability, prefer to: (1) supply your own NEMO_TOKEN from an account you control rather than allowing automatic anonymous-token creation; (2) confirm where the token/session will be written and inspect the file(s) or refuse storage; (3) review the privacy/terms of nemovideo.ai and whether uploaded inputs (up to 500MB) may be stored or used for training; and (4) be cautious about using the skill with sensitive text or files. Also note the SKILL.md frontmatter lists a config path not declared in the registry metadata — ask the publisher to clarify where persistent data is stored before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e16m77xm4vj0mxsc6sava7n84rpaj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments