ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Generator Free Gemini

v1.0.0

Turn a short text prompt describing a 30-second explainer video into 1080p AI-generated videos just by typing what you need. Whether it's generating videos f...

0· 30·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description promise is a text→video generator. The runtime instructions consistently call a nemovideo cloud API (https://mega-api-prod.nemovideo.ai) and require a NEMO_TOKEN, which is coherent with a cloud rendering service. Minor mismatch: the visible marketing repeatedly references “Gemini AI” while the API endpoints are for nemovideo.ai — this could be just branding/implementation detail but the skill does not explain the relationship.
!
Instruction Scope
Instructions direct the agent to authenticate (either using NEMO_TOKEN or by requesting an anonymous token), create a session, upload user files (multipart or URLs), run SSE streaming endpoints, poll render status, and return download URLs. These actions are expected for a video-rendering skill, but they also mean user scripts/media are transmitted to an external service. The SKILL.md also instructs the agent to read this file's YAML frontmatter at runtime and detect install path(s) to populate attribution headers — that requires reading local skill files and probing install locations. Also: the registry metadata lists NEMO_TOKEN as required, but the instructions provide an anonymous-token flow if NEMO_TOKEN is not set, which is an inconsistency in declared vs actual runtime requirements.
Install Mechanism
No install spec and no code files — instruction-only skill. That minimizes on-disk changes and install-time risk.
Credentials
Only one credential is declared (NEMO_TOKEN), which is appropriate for a cloud API. However the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) while the registry metadata earlier showed no configPaths — another small inconsistency. Also, although NEMO_TOKEN is declared as required, the instructions implement an anonymous-token flow when the variable is absent, so the variable is not strictly necessary; this mismatch should be corrected or clarified by the author.
Persistence & Privilege
always is false, the skill is user-invocable and allowed to be called autonomously (platform default). The skill does instruct saving session_id/token in-session for operation but does not request system-wide configuration or modify other skills.
What to consider before installing
This skill uploads your text, scripts, and any files you provide to an external service (mega-api-prod.nemovideo.ai) for rendering — expect that content to be processed off your machine. Before installing or using it: 1) Confirm you trust nemovideo.ai (privacy, retention, and terms), 2) Understand that NEMO_TOKEN is the credential controlling access — the skill can also create an anonymous short-lived token if none is present, so the registry claiming NEMO_TOKEN is “required” is misleading, 3) Ask the author to clarify the ‘Gemini’ branding vs the nemovideo API, and to correct the metadata inconsistencies (declared configPaths / required env vars), 4) Avoid uploading sensitive content until you verify the service and its data-handling policy. If you need stronger assurance, request source code, a homepage/maintainer identity, or run the integration in a restricted environment/account.

Like a lobster shell, security has layers — review code before you run it.

latestvk975z9pt7wf0w3c7r0038rbbbh84rzpq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments