ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Best Add Music To

v1.0.0

add video clips into music-backed videos with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators use it for adding background mus...

0· 22·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the API calls and token usage in SKILL.md — NEMO_TOKEN is an appropriate credential for a remote video-processing API. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths, an inconsistent declaration that should be explained.
Instruction Scope
Instructions stay within the declared purpose (upload, session management, SSE, export). They instruct the agent to generate anonymous tokens, create sessions, upload files, and poll renders. One scope concern: the skill says it will 'detect' the install path to set X-Skill-Platform (checking ~/.clawhub/, ~/.cursor/skills/ or else), which implies reading filesystem paths outside the skill file; this is not justified by the core functionality and should be clarified.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk. Nothing is downloaded or written to disk by an installer step in the provided content.
Credentials
Only NEMO_TOKEN is required, which is proportionate to calling the nemo API. But the SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) that is not listed in the registry requirements; this discrepancy could indicate either missing registry metadata or an instruction to access local configuration that wasn't declared.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges. It does ask to persist session_id and tokens for operation (normal for an API client); autonomous invocation is allowed but that is the platform default and not, by itself, problematic.
What to consider before installing
This skill generally does what it says — it talks to a nemo video-processing API and needs a NEMO_TOKEN. Before installing, confirm: (1) the endpoint (mega-api-prod.nemovideo.ai) is legitimate for the provider you expect; (2) why the skill frontmatter lists ~/.config/nemovideo/ (it may read that directory) while the registry says no config paths — ask the publisher to clarify and to update registry metadata; (3) whether the skill will actually read your home directory to detect install paths (it should not need broad filesystem access to function); (4) how tokens and session_ids are stored and for how long (tokens can be anonymous and short-lived, but persistent NEMO_TOKEN could be sensitive). Also avoid uploading private or sensitive video/audio until you verify the service's privacy policy and origin.

Like a lobster shell, security has layers — review code before you run it.

latestvk9790gfdf08ven71c1tknha3zs84njgh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments