Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Heygen Ai
v1.0.0marketers generate text or images into AI avatar videos using this skill. Accepts MP4, MOV, JPG, PNG up to 500MB, renders on cloud GPUs at 1080p, and returns...
⭐ 0· 35·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill declares a single credential (NEMO_TOKEN) which matches a cloud render/video service. Actions (session creation, upload, render/export, credits) are coherent with the stated purpose. However, SKILL.md frontmatter lists a config path (~/.config/nemovideo/) and instructions derive headers from local install paths (~/.clawhub/, ~/.cursor/skills/), while the registry metadata above said no required config paths — this mismatch is an inconsistency to be aware of.
Instruction Scope
Instructions remain within a video-rendering scope (session auth, SSE for messages, file upload endpoints, export polling). They explicitly instruct reading NEMO_TOKEN and, if missing, obtaining an anonymous token by POSTing to the service (i.e., the skill will auto-provision a short-lived token). The skill also references reading/detecting local install paths to set an attribution header, which implies filesystem checks beyond simply handling user-submitted media. Upload instructions reference multipart file paths (files=@/path), which is expected but means the agent will read local files supplied for upload.
Install Mechanism
No install spec and no code files — instruction-only. This is low risk from an install/execution standpoint because nothing is downloaded or written to disk by an installer.
Credentials
The single required env var (NEMO_TOKEN) is proportionate for a cloud render service. Caveat: SKILL.md instructs the agent to automatically acquire an anonymous token from the service if no NEMO_TOKEN is present, which means the skill does not strictly require the user to supply credentials and will contact the vendor to obtain short-lived credentials. There are no other unrelated secrets requested.
Persistence & Privilege
always is false and the skill does not request persistent system-level privileges. It does include logic to detect install paths for an attribution header, but it does not ask to modify other skills or global agent configuration.
What to consider before installing
This skill appears to implement a legitimate cloud avatar-video workflow and only asks for one credential (NEMO_TOKEN). Before installing, consider: 1) Uploaded media and text will be sent to an external service (mega-api-prod.nemovideo.ai) — do not upload sensitive or private data unless you trust the provider. 2) The skill will attempt to auto-fetch an anonymous token if you don't provide NEMO_TOKEN (this will create short-lived credentials server-side); if you prefer to control credentials, set NEMO_TOKEN yourself. 3) The SKILL.md references reading local install paths to set attribution headers (e.g., ~/.clawhub), which is a minor filesystem access beyond handling user-supplied files — verify you are comfortable with that. 4) There is a mismatch between the registry metadata (no config paths) and the SKILL.md frontmatter (declares ~/.config/nemovideo/) — ask the publisher to clarify. If you need higher assurance, request the service's privacy/terms link or a canonical homepage and verify the domain and API endpoints before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97cdch7rteffnftyy29wn8pj584jqde
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎙️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN