Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Lip Sync Video
v1.0.0Drop a video and a new audio track, and watch mouths move in perfect sync — no studio, no reshoots required. This ai-lip-sync-video skill analyzes facial mov...
⭐ 0· 20·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (AI lip-syncing) match the runtime instructions: calls to a nemovideo.ai API for session creation, uploads, SSE streaming and rendering are appropriate for remote video processing.
Instruction Scope
The SKILL.md instructs the agent to upload user video/audio to https://mega-api-prod.nemovideo.ai and to create/use session tokens. It also auto-provisions an anonymous token if NEMO_TOKEN is not present. While expected for a cloud-processing skill, this means user media will be transmitted to an external service and the skill will reach out to the network and read some local metadata (install path, YAML frontmatter). Users should be aware of privacy, retention, and where data is sent.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is low install risk.
Credentials
Only NEMO_TOKEN is declared as required (primary credential), which matches the described API auth. The frontmatter also declares a config path (~/.config/nemovideo/) and the instructions will auto-request an anonymous token if NEMO_TOKEN is missing — this is reasonable but notable because it causes outbound network activity and creation/storage of credentials.
Persistence & Privilege
The skill does not request permanent 'always' inclusion, does not modify other skills, and has no install-time persistence specified. It does ask to detect install path and read its own frontmatter for attribution headers, which is limited and expected.
What to consider before installing
Plain-language guidance:
- This skill will upload your video and audio files to a third-party service (mega-api-prod.nemovideo.ai) for processing. Do not use it for sensitive or confidential footage unless you trust that service and have verified its privacy/retention policy.
- The skill will look for a NEMO_TOKEN in the environment but will automatically request an anonymous token from the service if none is provided; that means the skill will make outbound network calls even without explicit credentials. If you prefer control, provide your own NEMO_TOKEN from a trusted Nemo account (and review how long tokens remain valid).
- Source provenance is weak: the skill has no homepage and an unknown source owner. Consider asking the publisher for documentation, a privacy policy, and an official service link before installing.
- There are potential billing/credits implications: the SKILL.md mentions credits and free trials (100 free credits, 7-day expiry). Confirm what operations consume credits and whether exports or large renders might incur charges.
- If you decide to use it: test with non-sensitive sample files first, monitor outbound requests, and, if possible, run the skill in a sandboxed environment. Revoke or rotate any tokens you created for testing once finished.
What would change this assessment: verifiable publisher/source (official homepage or GitHub repo), clear privacy/terms for nemovideo.ai, or explicit statement that media stays local (which it currently does not).Like a lobster shell, security has layers — review code before you run it.
latestvk978t2m6mq4avn0fnp56zfe055849rmk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎙️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN