ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Best To Video Ai

v1.0.0

marketers, content creators, educators convert text or script into AI-generated videos using this skill. Accepts TXT, DOCX, PDF, MP4 up to 200MB, renders on...

0· 47·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to convert text into videos and requires a NEMO_TOKEN bearer token for the backend — that is consistent. However, the SKILL.md YAML frontmatter lists a config path (~/.config/nemovideo/) that the registry metadata did not declare; that discrepancy could indicate the skill expects to read local config (e.g., stored tokens) even though the registry says no config paths are required.
Instruction Scope
The runtime instructions are primarily network calls to a single backend (mega-api-prod.nemovideo.ai) and operations needed for upload/session/export. The instructions do not explicitly instruct the agent to read arbitrary user files or unrelated env vars, but they do instruct using NEMO_TOKEN from the environment or obtaining an anonymous token. The presence of an undeclared config path in the frontmatter raises the possibility the agent could also look for local credentials/config, which is not spelled out in the human-facing steps.
Install Mechanism
No install spec or code is included; this is instruction-only, so nothing would be written to disk during install. That lowers risk from arbitrary code install.
!
Credentials
Only NEMO_TOKEN is declared as a required env var (primary credential), which matches the backend usage. However, the frontmatter's configPaths suggests the skill may access a local config directory (potentially containing persistent tokens or other sensitive data) despite the registry listing none. Accepting a bearer token from environment grants the skill broad access to the backend (including uploads, renders, and account credits/billing), so supplying a personal/global token without limits is potentially risky.
Persistence & Privilege
The skill is not always-enabled and has no install-time persistence. Autonomous invocation (model can call skill) is allowed by default but is not combined here with escalation or system-wide config changes.
What to consider before installing
This skill looks functionally coherent for converting text to video, but there are a few red flags you should consider before installing or exposing credentials: - Source is unknown and there is no homepage or repo; prefer skills from known publishers. - Do NOT export your personal NEMO_TOKEN unless you trust the operator; a bearer token can allow uploads, renders, and billing actions. If you must supply a token, create a limited/test token or account. - The SKILL.md frontmatter references ~/.config/nemovideo/ even though the registry metadata said no config paths — ask the publisher whether the agent will read that directory (it could contain tokens or config). - The skill will upload your files to https://mega-api-prod.nemovideo.ai. Avoid sending sensitive or proprietary content until you confirm the service's privacy/data-retention policies. - Because this is instruction-only, there is no code to inspect; request source code or a public API doc if you need stronger assurance. - If you want to try safely: rely on the advertised anonymous-token flow (ephemeral credits) or create a disposable account/token, and test with non-sensitive content first.

Like a lobster shell, security has layers — review code before you run it.

latestvk971ghjsp06k01dw83380pyak184maqf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments