ClawHub

Browser Video Generation

v1.0.0

Get ready-to-share videos ready to post, without touching a single slider. Upload your text prompts (MP4, MOV, WebM, GIF, up to 500MB), say something like "g...

0· 35·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (cloud video generation) aligns with required credential (NEMO_TOKEN) and with the runtime instructions that call mega-api-prod.nemovideo.ai. One small inconsistency: registry metadata earlier listed no required config paths, but the SKILL.md YAML frontmatter declares configPaths (~/.config/nemovideo/). This looks like a bookkeeping mismatch rather than malicious behavior.
Instruction Scope
SKILL.md instructs the agent to obtain/use an API token, create a session, upload user media, poll SSE endpoints, and return download URLs — all appropriate for the stated task. It will send user files (up to 500MB) and metadata to an external service (mega-api-prod.nemovideo.ai). The skill also instructs deriving an X-Skill-Platform header from the install path (~/.clawhub/ or ~/.cursor/skills/) which requires inspecting the agent's install location. No instructions ask for unrelated system files or other credentials, but uploading user data to an external cloud service is a privacy-sensitive action and should be expected.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by an installer. This is the lowest install risk.
Credentials
Only NEMO_TOKEN is required and is proportional to a cloud video API. The SKILL.md also references a local config path (~/.config/nemovideo/) in its frontmatter which may indicate optional local state storage—registry metadata contradicted this. The skill can create an anonymous token on the user's behalf (less sensitive than asking for long-lived credentials), but that token will authorize uploads of user media and should be treated as sensitive.
Persistence & Privilege
The skill is not always:true and does not request elevated/platform-wide privileges. It instructs saving session_id and using tokens for API calls (normal for session-based services). It does require reading the install path to set X-Skill-Platform header, but it does not request modifying other skills or system-wide configuration.
Assessment
This skill appears to do what it says: it will upload your media and prompts to mega-api-prod.nemovideo.ai and return rendered videos. Before installing or using it: 1) Be comfortable that your files (video, images, scripts) will be uploaded to that external service — do not send sensitive or private files. 2) NEMO_TOKEN is a bearer token: treat it like a password. The skill can generate a short-lived anonymous token for you, but that token still grants upload/render rights for ~7 days. 3) Note the metadata discrepancy about a local config path (~/.config/nemovideo/) — if you prefer no local state, check where the agent stores session info. 4) The skill derives an X-Skill-Platform header from the agent install path, which reveals which client you’re running; if that concerns you, review or sanitize that behavior. 5) Because this is an instruction-only skill from an unknown source with no homepage, review the service’s privacy/terms at nemovideo.ai (or contact the provider) before uploading any private content. If you want, I can list the exact API endpoints and headers the skill will call so you can audit network traffic or firewall them.

Like a lobster shell, security has layers — review code before you run it.

latestvk9752nh508fkqy3ce6pt0b7tdh84trdd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments