ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Add Music To

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — add background music that matches the mood of my video — and get music-bac...

0· 51·0 current·0 all-time
by@tk8544-b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, endpoints, and required NEMO_TOKEN align with a cloud video-processing/music-addition service. However the SKILL.md frontmatter includes a configPaths value (~/.config/nemovideo/) which is not listed in the registry's top-level requirements — this mismatch is unexplained and could indicate the skill expects local config access or to persist tokens locally.
Instruction Scope
SKILL.md instructs the agent to create/refresh a bearer token, create sessions, upload user video files, stream SSE responses, and poll render status — all expected for a cloud render service. No instructions request unrelated system files or unrelated credentials, but the frontmatter/configPaths hint (and the requirement to auto-detect an install path for X-Skill-Platform) expands scope slightly and should be clarified.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing is written to disk by an installer, so installation risk is low. The runtime will perform network calls to the documented API endpoints.
!
Credentials
Only NEMO_TOKEN is required, which is appropriate. The concern is the frontmatter's configPaths entry (~/.config/nemovideo/) that suggests access to local config/storage (potentially containing tokens). The registry-level requirements omitted this path, creating an inconsistency that could lead to unexpected local reads/writes.
Persistence & Privilege
always:false and normal autonomous invocation are used. The skill will store session_id and tokens as part of its flow (expected for a session-based API) but does not request system-wide privileges or other skills' configs.
What to consider before installing
This skill appears to do what it claims (upload videos to a cloud API, add music, return exports) and only needs a NEMO_TOKEN, but two things to check before installing: (1) Ask the author whether the skill will read or write ~/.config/nemovideo/ (where tokens or other user data might be stored) — the frontmatter lists that path but the registry metadata does not. (2) Confirm the backend domain (mega-api-prod.nemovideo.ai) and the service's privacy/retention policy for uploaded videos (will your videos be stored, reviewed, or used to train models?). Also: avoid reusing high-privilege secrets in NEMO_TOKEN, prefer ephemeral/anonymous tokens for testing, and verify whether exports or billing/credit operations could incur charges before sending sensitive content.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d5yqx6nyc9ak2b189bdry1584nsrz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments