ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Intro

v1.0.0

YouTubers generate video clips into branded intro clip using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders on cloud GPUs at 1080p, and returns...

0· 19·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description align with contacting a nemo video render API and needing a rendering token. However the registry marks NEMO_TOKEN as required while the runtime instructions explicitly provide an anonymous-token fallback, which is inconsistent. The metadata also declares a config path (~/.config/nemovideo/) that isn't clearly needed for the core 'upload and render' flow.
!
Instruction Scope
SKILL.md instructs the agent to call multiple external endpoints and to upload user media (expected). But it also instructs detection of install paths (~/.clawhub/, ~/.cursor/skills/) to set an X-Skill-Platform header and references a config path in metadata — these filesystem probes are not declared in requires.configPaths and are outside the minimal needs for rendering. The document gives broad runtime discretion (SSE handling, polling behavior) which is fine for a client but grants the agent latitude to read local paths and perform network calls beyond a simple API key usage.
Install Mechanism
Instruction-only skill with no install spec or bundled code — low installation risk since nothing is written to disk by an installer. All runtime behavior is through API calls.
Credentials
Only one credential (NEMO_TOKEN) is declared which fits a remote rendering service. But the metadata marks NEMO_TOKEN required while SKILL.md explicitly implements an anonymous-token flow if no NEMO_TOKEN is present — this mismatch should be clarified. The skill also lists a config path in metadata, suggesting it may read local config, which increases scope and should be justified.
Persistence & Privilege
always is false and there is no install-time persistence requested. The skill does create sessions with the remote service but does not request permanent elevated privileges or modify other skills' configs.
What to consider before installing
This skill appears to be a client for an external video-rendering API and will upload user media to that service. Before installing: 1) Verify the service/domain (mega-api-prod.nemovideo.ai) and the skill author — the registry shows no homepage/source. 2) Confirm whether you need to set NEMO_TOKEN; the SKILL.md can obtain an anonymous token automatically, so the registry's 'required env var' label is inconsistent. 3) Be aware the instructions ask the agent to detect local install paths and reference a local config path (~/.config/nemovideo/); if you are uncomfortable with a skill probing your home directory for evidence of other installs or configs, do not enable it. 4) Avoid using high-privilege or long-lived credentials as NEMO_TOKEN; use a scoped token or rotate it after testing. 5) If you need stronger assurance, request the skill's source code or an authoritative homepage and ask the author to remove or explicitly justify filesystem probes and to correct the required-env documentation.

Like a lobster shell, security has layers — review code before you run it.

latestvk979hze0jt3dqjf18c5cjdt0fd84jzv8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments