ClawHub

Video Maker Free App

v1.0.0

create video clips or images into polished MP4 videos with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. casual creators and social media use...

0· 21·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (cloud video composition/export) matches the declared primary credential (NEMO_TOKEN) and the SKILL.md shows only calls to a video rendering API. Requesting a service token for the backend is proportionate to the skill's purpose. Note: the SKILL.md frontmatter references a config path (~/.config/nemovideo/) but the registry metadata lists no required config paths — this mismatch should be clarified.
Instruction Scope
Instructions focus on connecting to the nemovideo.ai API, uploading files, streaming SSE messages, checking credits/state, and polling for render status — all consistent with a render pipeline. The skill instructs generating an anonymous token if NEMO_TOKEN is absent and to store session_id for future calls. It also asks the agent to 'auto-detect' platform from install path which implies reading agent environment/install path; that is a minor scope creep and could require filesystem access depending on implementation. The doc also tells the agent not to display raw API responses or tokens to the user — reasonable, but worth noting.
Install Mechanism
There is no install spec and no code files (instruction-only), so nothing is written to disk by an installer. This is the lowest-risk installation mechanism.
Credentials
Only one environment credential is declared: NEMO_TOKEN (primary). That is proportionate for a hosted video API. However, the skill's frontmatter lists a config path (~/.config/nemovideo/) which is not reflected in the registry's required config paths — if implemented, reading that path could expose saved tokens or user data. Clarify whether the skill will actually read local config files or only use in-memory/session tokens.
Persistence & Privilege
The skill is not marked always:true and does not request broad system privileges. It does instruct creating and storing a session_id/token for the service, which is normal for a session-based API. No instructions to modify other skills or system-wide settings are present.
Assessment
This skill appears to be a straightforward client for a cloud video-rendering API (nemovideo.ai) and only needs a single token (NEMO_TOKEN). Before installing: 1) Note the skill's source/homepage is unknown — verify the vendor/service (nemovideo.ai) and its privacy terms if you plan to upload sensitive videos. 2) Decide whether you want the skill to auto-create an anonymous token on your behalf; if not, provide your own NEMO_TOKEN. 3) Ask the author to clarify the metadata mismatch about ~/.config/nemovideo/ (will the skill read local config files?). 4) Avoid sending highly sensitive content until you confirm the backend and privacy policy. 5) If you must protect local files, run the skill in a sandboxed environment or restrict file access. These precautions would increase confidence in installing and using this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk974t1jm8c1w9t2jxw7h2gy84984saxn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments