ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Video Generator

v1.0.0

generate text or images into ready-to-upload videos with this skill. Works with MP4, MOV, PNG, JPG files up to 500MB. YouTubers use it for generating YouTube...

0· 19·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name/description (YouTube video generator) match the network actions described (upload, SSE, render/export). Requesting NEMO_TOKEN as the primary credential is coherent. However the metadata and runtime instructions also reference a local config path (~/.config/nemovideo/) and require reading the agent's install path to populate an X-Skill-Platform header — these are not strictly necessary for basic operation and are unusual for a simple API client.
!
Instruction Scope
SKILL.md instructs the agent to obtain/refresh anonymous tokens, create sessions, upload files and poll render status — all expected. But it also instructs the agent to detect the skill install path (~/.clawhub/, ~/.cursor/skills/) to set an attribution header, and refers to reading the file's YAML frontmatter for attribution. Asking the agent to inspect install directories and specific config paths expands the scope of data the skill may access on the host and could reveal other installed tooling; this is out of the ordinary for a purely remote rendering API.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is downloaded or written to disk by an installer step. That is the lowest-risk install model.
Credentials
The skill declares a single required environment variable (NEMO_TOKEN), which is appropriate for authenticating to the described API. However, the metadata's configPaths and runtime request to detect install paths means the skill may access local config directories; users should confirm those directories do not contain unrelated secrets before allowing access.
Persistence & Privilege
The skill is not always-enabled and does not request special platform privileges. It instructs saving a session_id for its own session management, which is normal and limited in scope.
What to consider before installing
Before installing or invoking this skill: 1) Treat NEMO_TOKEN as a secret — only provide a token with minimal privileges or use the anonymous token flow if you prefer limited lifetime/credits. 2) The skill asks the agent to inspect local paths (~/.config/nemovideo/, ~/.clawhub/, ~/.cursor/skills/) to set attribution headers; consider whether you want the agent reading those locations (they might reveal other installed skills or local config). 3) Because this is instruction-only, there is no installer, but network requests will go to mega-api-prod.nemovideo.ai — verify you trust that domain and the service's privacy policy. 4) If you proceed, monitor what tokens/session IDs are stored and avoid exposing broader credentials (AWS, GitHub, etc.) in the same environment. If you want stronger assurance, request more details from the publisher about why install-path detection is required and what is stored in ~/.config/nemovideo/.

Like a lobster shell, security has layers — review code before you run it.

latestvk97et8gvc2dnbnrgqeqrk73ep58515x9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments