ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Copywriter Video Online

v1.0.0

Turn a 150-word product description paragraph into 1080p script-based videos just by typing what you need. Whether it's converting written copy into promotio...

0· 46·0 current·0 all-time
by@susan4731-wilfordf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is an instruction-only adapter for a remote video-rendering API and legitimately needs an API token (NEMO_TOKEN) and session management. However the SKILL.md's YAML metadata references a local config path (~/.config/nemovideo/) and automatic detection of the agent's install path for an attribution header; these items are not declared in the top-level Requirements section and are not strictly required to perform remote API calls, creating a small mismatch.
Instruction Scope
Runtime instructions are focused on API calls required to create sessions, upload media, and export rendered videos. They do not ask for arbitrary files or unrelated environment variables. Two scope caveats: (1) the skill tells the agent to detect its install path to set X-Skill-Platform (this implies reading local paths like ~/.clawhub/ or ~/.cursor/skills/), and (2) the metadata suggests a config path (~/.config/nemovideo/) which implies the skill might read or write files there. Both behaviors are outside strictly necessary API calls and should be made explicit before giving the skill disk or file-system access.
Install Mechanism
There is no install specification and no code files — this is instruction-only. That minimizes on-disk attack surface since nothing is downloaded or executed by the skill itself.
Credentials
Only one environment variable is required: NEMO_TOKEN (declared as primary). That is proportional to a service that authenticates API calls. However, the YAML also declares a configPaths entry (~/.config/nemovideo/) which the top-level manifest did not list; this suggests the skill may read or write local config files (session tokens, cached credentials). Confirm where session_id and tokens are stored before granting persistent credentials.
Persistence & Privilege
The skill does not request always:true and has no install steps, so it does not demand permanent platform-wide presence. The SKILL.md instructs to 'save session_id' and to reuse NEMO_TOKEN if present; the storage location is unspecified. This could lead to tokens or session IDs being cached on disk (e.g., under ~/.config/nemovideo/), which has implications for persistence and credential lifecycle.
What to consider before installing
This skill appears to do what it says (remote video rendering) and only needs a single service token, but exercise caution before installing or providing credentials: - Source provenance: The skill has no homepage or source repo listed. If you don't recognize the owner, treat the skill as untrusted until you can verify the API/domain (mega-api-prod.nemovideo.ai) is legitimate. - Token scope and storage: NEMO_TOKEN is the sole credential — it likely controls rendering, credits, and billing. Use a token dedicated to this service (don't reuse other sensitive credentials). Ask how and where the agent will store the token/session_id; the YAML mentions ~/.config/nemovideo/ which could persist tokens to disk. If you want ephemeral use, prefer the anonymous-token flow and avoid writing the token to disk. - Filesystem access: The skill implies detecting install paths (~/.clawhub/, ~/.cursor/skills/) and may read/write ~/.config/nemovideo/. Confirm whether the agent will actually read those paths and what it will store there. If you don't want disk access, restrict the agent's filesystem access or decline to set persistent tokens. - Privacy of uploads and outputs: Uploaded media and generated videos go to the remote API; check the service's privacy policy before sending sensitive content. Also verify whether generated download URLs are private or publicly accessible. If you cannot verify the domain or the maintainer, or you are uncomfortable with potential disk persistence of tokens/sessions, do not provide a persistent NEMO_TOKEN and prefer a short-lived anonymous token flow or avoid using the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97202tpz3a9hav6x5wdjagbks84q1gr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✍️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments