ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Green Screen Video

v1.0.0

replace video footage into background-replaced videos with this green-screen-video skill. Works with MP4, MOV, AVI, WebM files up to 500MB. YouTubers, stream...

0· 20·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared capability (cloud-based green-screen background replacement) matches the runtime instructions: endpoints, upload flow, rendering/generation and use of a service token (NEMO_TOKEN) are consistent with that purpose. No unrelated credentials or local binaries are requested.
Instruction Scope
Instructions reasonably limit actions to creating/using a session, uploading user-provided media, streaming edits via SSE, and polling render status. This necessarily transmits user video/audio to https://mega-api-prod.nemovideo.ai — expected for the stated function but important to note as data exfiltration to a third party. The frontmatter also lists a config path (~/.config/nemovideo/) though the instructions never explain reading it.
Install Mechanism
No install script or third-party package is specified (instruction-only skill), so nothing is written to disk by an installer. This is the lowest-risk install profile.
!
Credentials
The only required secret is NEMO_TOKEN, which is proportionate for a hosted API. However, the SKILL.md frontmatter references a config path (~/.config/nemovideo/) that the registry metadata did not list — an inconsistency. Also the skill instructs generating an anonymous token if NEMO_TOKEN isn't present and persisting/using it; users should understand this token grants upload/render access for 7 days.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does instruct saving session_id and using tokens for session management (normal for this service), but it does not ask to modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it claims (it uploads your videos to a cloud render service and returns processed files), but you should be cautious before installing or using it: 1) There is no homepage or verifiable publisher info—verify the service independently if possible. 2) Using the skill will upload your video/audio to https://mega-api-prod.nemovideo.ai; do not send sensitive or private footage unless you trust that endpoint and its privacy policy. 3) The SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) that the registry didn't—ask the author what that is used for before granting any file or config access. 4) The skill can generate an anonymous token and persist it for up to 7 days; understand and control where that token is stored. If you need stronger assurance, request a published homepage, privacy policy, or an official SDK/owner verification before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk974khdhxnn0bz3kjvdbvd782d84kst0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🟩 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments