ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Generator Free

v1.0.0

Cloud-based video-generator-free tool that handles generating videos from text or images without editing software. Upload MP4, MOV, PNG, JPG files (up to 200...

0· 21·0 current·0 all-time
by@francemichaell-15
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the runtime instructions (session creation, uploads, SSE, render/export). Requesting a NEMO_TOKEN is coherent for a cloud API. However, the SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) that is not reflected in the registry metadata — this mismatch is unexplained and worth noting.
Instruction Scope
Runtime instructions stay within the stated purpose: authenticating, creating sessions, uploading media, streaming SSE, polling render status, and returning download URLs. They instruct the agent to upload local files (multipart -F "files=@/path"), use a Bearer token, and to auto-generate an anonymous token if NEMO_TOKEN is absent. No instructions ask the agent to read unrelated system files or other environment variables, but the frontmatter's configPath implies possible file access that the body doesn't explicitly justify.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by an installer. This is the lowest install risk.
Credentials
Only NEMO_TOKEN is required as the primary credential, which is proportionate for a cloud API. But the SKILL.md frontmatter also lists a config path (~/ .config/nemovideo/) while registry metadata lists no config paths — an inconsistency. Consider whether the skill will attempt to read that config directory (which may contain tokens or cached session data).
Persistence & Privilege
always is false and there is no install behavior or modification of other skills. The skill can be invoked autonomously (default), which is expected; this alone is not a red flag.
What to consider before installing
This skill appears to be a front-end for the nemovideo.ai API and will upload files and make network requests to https://mega-api-prod.nemovideo.ai. Before installing or using it: (1) Treat NEMO_TOKEN like a password — only provide a token you trust the skill with; prefer a short-lived or limited token or use the anonymous-token flow if you don’t want to share credentials. (2) Don't upload sensitive files (PII, private videos) until you verify the service owner and privacy policy — the skill's source and homepage are unknown. (3) Ask the publisher for provenance (source repo, privacy/terms, contact). (4) Note the metadata mismatch about a config path (~/.config/nemovideo/) — confirm whether the skill will read local config files before granting it access to your environment. If you cannot verify the publisher or limit the token's scope, avoid providing long-lived credentials or sensitive media.

Like a lobster shell, security has layers — review code before you run it.

latestvk973fe2b2ef5p66re18awvm74s84jg45

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments