Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Frames

v1.0.0

Turn a 2-minute MP4 interview clip into 1080p exported video frames just by typing what you need. Whether it's extracting still frames from video footage for...

0· 27·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to extract frames and export video and all runtime instructions point to a single cloud service (mega-api-prod.nemovideo.ai) which is consistent with that purpose. However, the SKILL.md frontmatter metadata lists a config path (~/.config/nemovideo/) while the registry metadata states no required config paths — that mismatch is an incoherence. The skill also asks the agent to detect install paths to set an X-Skill-Platform header; detecting install paths is not strictly necessary for frame extraction and implies filesystem inspection beyond the minimal needs of the feature.
!
Instruction Scope
Instructions direct the agent to automatically connect to an external backend on first use and, if NEMO_TOKEN is absent, to generate an anonymous token by POSTing to the service. The skill will upload user video files to the external domain and requires including attribution headers. It also instructs to 'not display raw API responses or token values to the user', which reduces transparency. These behaviors are consistent with the stated purpose but carry privacy risks (user media sent to an external service) and grant the skill discretion to perform network activity without an explicit user consent step.
Install Mechanism
There is no install specification and no code files (instruction-only). That is low-risk from an install/execution perspective — nothing will be downloaded or written by an installer step.
Credentials
The only declared required environment variable is NEMO_TOKEN, which is appropriate for a single-service integration. However, the SKILL.md provides a flow to obtain an anonymous token automatically if none is present, meaning the skill can create and use credentials autonomously. The frontmatter also lists a config path (~/.config/nemovideo/) not present in registry metadata; requiring access to config files would be disproportionate for simple frame extraction unless used to persist session state.
Persistence & Privilege
The skill is not marked always:true and uses the platform default (agent-invocable). It instructs storing a session_id for subsequent API calls but does not request system-wide privileges or to modify other skills. No persistent installer behavior or privileged system changes are requested in the provided instructions.
What to consider before installing
This skill appears to do what it says — it uploads user videos to a third-party backend to extract frames and return downloads — but exercise caution: 1) If you do not already have a NEMO_TOKEN, the skill will automatically request an anonymous token and connect to mega-api-prod.nemovideo.ai on first use, which means your files may be sent to that service without an extra explicit consent step. 2) The SKILL.md asks the agent to hide raw API responses and token values, reducing transparency about what was sent or returned. 3) There is an inconsistency about a config path (~/.config/nemovideo/) in the skill's frontmatter that isn't reflected in registry metadata — that suggests the skill might expect to read or write a local config directory. Before installing, verify the service domain (mega-api-prod.nemovideo.ai), review its privacy/storage policy, consider providing your own NEMO_TOKEN (so the skill cannot create anonymous tokens), and ask the publisher how long uploads are retained and whether processed media is shared. If you need stronger assurances, decline the skill or sandbox it so media uploads can be audited.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎞️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN
latestvk97dhw39v1nb60c11bcg2zkh2d85461e
27downloads
0stars
1versions
Updated 18h ago
v1.0.0
MIT-0

Getting Started

Share your video clips and I'll get started on AI frame extraction. Or just tell me what you're thinking.

Try saying:

  • "extract my video clips"
  • "export 1080p MP4"
  • "extract one frame every 5 seconds"

First-Time Connection

When a user first opens this skill, connect to the processing backend automatically. Briefly let them know (e.g. "Setting up...").

Authentication: Check if NEMO_TOKEN is set in the environment. If it is, skip to step 2.

  1. Obtain a free token: Generate a random UUID as client identifier. POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token with header X-Client-Id set to that UUID. The response data.token is your NEMO_TOKEN — 100 free credits, valid 7 days.
  2. Create a session: POST to https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent with Authorization: Bearer <token>, Content-Type: application/json, and body {"task_name":"project","language":"<detected>"}. Store the returned session_id for all subsequent requests.

Keep setup communication brief. Don't display raw API responses or token values to the user.

AI Video Frames — Extract and Export Video Frames

Drop your video clips in the chat and tell me what you need. I'll handle the AI frame extraction on cloud GPUs — you don't need anything installed locally.

Here's a typical use: you send a a 2-minute MP4 interview clip, ask for extract one frame every 5 seconds and save them as images, and about 20-40 seconds later you've got a MP4 file ready to download. The whole thing runs at 1080p by default.

One thing worth knowing — shorter clips process faster and give more precise frame timing.

Matching Input to Actions

User prompts referencing ai video frames, aspect ratio, text overlays, or audio tracks get routed to the corresponding action via keyword and intent classification.

User says...ActionSkip SSE?
"export" / "导出" / "download" / "send me the video"→ §3.5 Export
"credits" / "积分" / "balance" / "余额"→ §3.3 Credits
"status" / "状态" / "show tracks"→ §3.4 State
"upload" / "上传" / user sends file→ §3.2 Upload
Everything else (generate, edit, add BGM…)→ §3.1 SSE

Cloud Render Pipeline Details

Each export job queues on a cloud GPU node that composites video layers, applies platform-spec compression (H.264, up to 1080x1920), and returns a download URL within 30-90 seconds. The session token carries render job IDs, so closing the tab before completion orphans the job.

All calls go to https://mega-api-prod.nemovideo.ai. The main endpoints:

  1. SessionPOST /api/tasks/me/with-session/nemo_agent with {"task_name":"project","language":"<lang>"}. Gives you a session_id.
  2. Chat (SSE)POST /run_sse with session_id and your message in new_message.parts[0].text. Set Accept: text/event-stream. Up to 15 min.
  3. UploadPOST /api/upload-video/nemo_agent/me/<sid> — multipart file or JSON with URLs.
  4. CreditsGET /api/credits/balance/simple — returns available, frozen, total.
  5. StateGET /api/state/nemo_agent/me/<sid>/latest — current draft and media info.
  6. ExportPOST /api/render/proxy/lambda with render ID and draft JSON. Poll GET /api/render/proxy/lambda/<id> every 30s for completed status and download URL.

Formats: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.

Skill attribution — read from this file's YAML frontmatter at runtime:

  • X-Skill-Source: ai-video-frames
  • X-Skill-Version: from frontmatter version
  • X-Skill-Platform: detect from install path (~/.clawhub/clawhub, ~/.cursor/skills/cursor, else unknown)

All requests must include: Authorization: Bearer <NEMO_TOKEN>, X-Skill-Source, X-Skill-Version, X-Skill-Platform. Missing attribution headers will cause export to fail with 402.

Draft field mapping: t=tracks, tt=track type (0=video, 1=audio, 7=text), sg=segments, d=duration(ms), m=metadata.

Timeline (3 tracks): 1. Video: city timelapse (0-10s) 2. BGM: Lo-fi (0-10s, 35%) 3. Title: "Urban Dreams" (0-3s)

Translating GUI Instructions

The backend responds as if there's a visual interface. Map its instructions to API calls:

  • "click" or "点击" → execute the action via the relevant endpoint
  • "open" or "打开" → query session state to get the data
  • "drag/drop" or "拖拽" → send the edit command through SSE
  • "preview in timeline" → show a text summary of current tracks
  • "Export" or "导出" → run the export workflow

Reading the SSE Stream

Text events go straight to the user (after GUI translation). Tool calls stay internal. Heartbeats and empty data: lines mean the backend is still working — show "⏳ Still working..." every 2 minutes.

About 30% of edit operations close the stream without any text. When that happens, poll /api/state to confirm the timeline changed, then tell the user what was updated.

Error Handling

CodeMeaningAction
0SuccessContinue
1001Bad/expired tokenRe-auth via anonymous-token (tokens expire after 7 days)
1002Session not foundNew session §3.0
2001No creditsAnonymous: show registration URL with ?bind=<id> (get <id> from create-session or state response when needed). Registered: "Top up credits in your account"
4001Unsupported fileShow supported formats
4002File too largeSuggest compress/trim
400Missing X-Client-IdGenerate Client-Id and retry (see §1)
402Free plan export blockedSubscription tier issue, NOT credits. "Register or upgrade your plan to unlock export."
429Rate limit (1 token/client/7 days)Retry in 30s once

Common Workflows

Quick edit: Upload → "extract one frame every 5 seconds and save them as images" → Download MP4. Takes 20-40 seconds for a 30-second clip.

Batch style: Upload multiple files in one session. Process them one by one with different instructions. Each gets its own render.

Iterative: Start with a rough cut, preview the result, then refine. The session keeps your timeline state so you can keep tweaking.

Tips and Tricks

The backend processes faster when you're specific. Instead of "make it look better", try "extract one frame every 5 seconds and save them as images" — concrete instructions get better results.

Max file size is 500MB. Stick to MP4, MOV, AVI, WebM for the smoothest experience.

MP4 with H.264 codec gives the best balance of quality and file size.

Comments

Loading comments...