ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Photo Video Maker

v1.0.0

Cloud-based youtube-photo-video-maker tool that handles creating YouTube videos from photo collections. Upload JPG, PNG, HEIC, WebP files (up to 500MB), desc...

0· 55·0 current·0 all-time
by@tk8544-b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (YouTube photo→video maker) aligns with the behavior: the SKILL.md instructs uploading images and requesting renders from a cloud backend and requires a single credential (NEMO_TOKEN). However the YAML frontmatter/metadata includes a configPaths entry (~/.config/nemovideo/) even though the registry summary listed no required config paths — this mismatch is unexplained.
!
Instruction Scope
Runtime instructions direct the agent to POST to https://mega-api-prod.nemovideo.ai for anonymous-token, session creation, uploads (multipart or URL), SSE, and render polling. That behavior is expected for a cloud video service, but it means user images and activity will be sent to a third-party endpoint. The skill also derives attribution headers from an install path (detecting ~/.clawhub/ or ~/.cursor/skills/), which implies the agent may inspect its environment/install path. The instructions explicitly say to auto-generate an anonymous token if NEMO_TOKEN is absent — this will create and store/use credentials without the user manually supplying them.
Install Mechanism
This is instruction-only with no install spec or code files, so no packages are downloaded or written to disk by an installer. That minimizes install-time risk.
Credentials
Only one credential is requested (NEMO_TOKEN), which is proportional to the described cloud service. But metadata references a config path (~/.config/nemovideo/) and the runtime needs to detect install path to set X-Skill-Platform — the registry's earlier 'required config paths: none' conflicts with the frontmatter. If the agent actually reads those paths it could reveal local installation information or reuse existing tokens; the SKILL.md does not justify that fully.
Persistence & Privilege
The skill is not marked always:true and is user-invocable. It does not request elevated/system-level privileges or modification of other skills. Autonomous invocation remains allowed (platform default).
What to consider before installing
This skill will upload any photos you give it to a third-party service (mega-api-prod.nemovideo.ai) and will either use a NEMO_TOKEN you supply or create an anonymous token for you. Before installing or using it, consider: (1) Don’t upload sensitive images unless you trust the service and its retention/privacy policy; (2) If you prefer control, set NEMO_TOKEN yourself instead of letting the skill auto-generate one; (3) Ask the publisher for a homepage/privacy policy and clarify how long uploads and generated videos are stored; (4) Note the small metadata inconsistency: the skill references ~/.config/nemovideo/ and reads install-path info to set headers — confirm whether you’re comfortable with the agent inspecting those local paths. If you need higher assurance, request the skill author to provide a homepage, privacy policy, and to remove any automatic token creation or local path inspection.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ezja4zbcr833zbthvaj57tx84nq00

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎞️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments