Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Best Avatar Video
v1.0.0Cloud-based best-avatar-video tool that handles creating realistic talking avatar videos from photos and scripts. Upload JPG, PNG, MP4, MOV files (up to 200M...
⭐ 0· 19·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the runtime instructions: the skill routes uploads and text to the nemo video API and requires a NEMO_TOKEN. Declared config path (~/.config/nemovideo/) and primaryEnv NEMO_TOKEN are coherent with a cloud rendering provider.
Instruction Scope
Instructions are explicit about API endpoints, session/token lifecycle, SSE streaming, uploads, and error codes — these are within the expected scope. Two items to note: (1) the skill asks the agent to read the SKILL.md frontmatter and to detect install path (to populate X-Skill-Platform), which requires access to local path context; (2) the SKILL.md contained unicode-control-chars flagged by the scanner, which can be used for prompt-injection or to hide directives. Neither alone proves malicious, but both merit manual inspection.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk installation surface (nothing is written to disk by an installer).
Credentials
Only NEMO_TOKEN is required (primary credential). That matches the described cloud API usage. The metadata also references a config path (~/.config/nemovideo/) which is plausible for local token caching; however, any token storage/access should be reviewed because it grants the external service the ability to act on behalf of the user.
Persistence & Privilege
The skill is not force-included (always: false) and requests only to save session_id for jobs — expected behavior for a remote rendering workflow. It does not request elevated platform-wide privileges.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contains unicode control characters. These are not necessary for a simple API integration and can hide content or alter parsing; inspect the raw file for hidden instructions or malicious payloads before trusting the skill.
What to consider before installing
This skill looks like a legitimate client for an external avatar-rendering API and asks only for a NEMO_TOKEN — which is appropriate. However: 1) inspect the SKILL.md source for invisible/control characters (the scanner flagged them); remove or request a clean copy if you see any hidden content. 2) Confirm the service domain (mega-api-prod.nemovideo.ai) and the skill's author before supplying real credentials. Prefer using an ephemeral or restricted NEMO_TOKEN (or anonymous token) rather than a long-lived account credential. 3) Remember any images, audio, or scripts you upload will be sent to the external service — do not upload sensitive or private material unless you accept that risk. 4) If you need stronger assurance, ask the publisher for provenance (homepage, owner identity) or request an audited/verifiable implementation (code or official client). If you proceed, test first with non-sensitive sample media and limited-scoped credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk977ygs6nv3j6kydjg6jy5m7hs84j60v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧑💻 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN