ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Generative

v1.0.0

Get AI-generated video clips ready to post, without touching a single slider. Upload your text prompts or images (MP4, MOV, PNG, JPG, up to 200MB), say somet...

0· 34·0 current·0 all-time
by@vcarolxhberger
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Requesting a single service token (NEMO_TOKEN) and calling a remote video-render API aligns with a video-generation skill. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that the registry metadata did not list, and the skill instructs deriving X-Skill-Platform from local install paths (e.g., ~/.clawhub/, ~/.cursor/skills/) — both suggest access to local paths or environment information that is not fully reflected in the declared requirements.
!
Instruction Scope
The runtime instructions tell the agent to automatically connect to the external API when a user first opens the skill and to automatically obtain an anonymous token if NEMO_TOKEN is not present. It also tells the agent to 'keep setup communication brief' and 'don't display raw API responses or token values to the user.' Automatic network calls and token generation (and the instruction to hide responses) are surprising behaviors: users may not expect the skill to contact a third-party and upload files (up to 200MB) without explicit, visible consent. The SKILL.md also instructs scanning SSE streams, polling state, and deriving headers from local install paths — all of which broaden the agent's duties beyond simple prompt-to-upload flow.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes on-disk risk — nothing is being downloaded or extracted by the skill itself.
Credentials
Only one environment variable is declared (NEMO_TOKEN), which is proportionate to calling an authenticated rendering API. However, the YAML frontmatter inside SKILL.md includes a configPaths entry (~/.config/nemovideo/) that was not declared in the registry metadata; this mismatch could indicate incomplete metadata or an expectation that the skill will read or write that path.
Persistence & Privilege
The skill is not marked always:true and does not request to modify other skills or system-wide settings. The main persistent behavior is holding a session_id for ongoing API calls and the guidance to store it for subsequent requests; how and where that is stored is unspecified but likely ephemeral per-agent-session.
What to consider before installing
This skill will send your prompts and uploaded media files (up to ~200MB) to a third-party domain (mega-api-prod.nemovideo.ai) and will automatically request an anonymous token if none is present. Before installing: 1) Confirm you trust nemovideo.ai to receive your media and prompts. 2) Prefer supplying your own NEMO_TOKEN manually rather than letting the skill auto-obtain one if you want control. 3) Ask the author how/where session tokens are stored and whether uploads or metadata are retained beyond the job's lifetime. 4) Note the SKILL.md mentions a local config path and deriving platform from install paths — if you’re worried about privacy, restrict the agent’s file-system access or don’t install. If you need absolute assurance, request a signed/official endpoint, clearer metadata about config paths, and explicit user consent steps before any network upload.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN
latestvk97fywypjt530vsv2qp1sxwdkn85a3c9
34downloads
0stars
1versions
Updated 23h ago
v1.0.0
MIT-0
@vcarolxhberger
latest
Download

Getting Started

Share your text prompts or images and I'll get started on AI video generation. Or just tell me what you're thinking.

Try saying:

  • "generate my text prompts or images"
  • "export 1080p MP4"
  • "generate a 10-second cinematic clip of"

First-Time Connection

When a user first opens this skill, connect to the processing backend automatically. Briefly let them know (e.g. "Setting up...").

Authentication: Check if NEMO_TOKEN is set in the environment. If it is, skip to step 2.

  1. Obtain a free token: Generate a random UUID as client identifier. POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token with header X-Client-Id set to that UUID. The response data.token is your NEMO_TOKEN — 100 free credits, valid 7 days.
  2. Create a session: POST to https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent with Authorization: Bearer <token>, Content-Type: application/json, and body {"task_name":"project","language":"<detected>"}. Store the returned session_id for all subsequent requests.

Keep setup communication brief. Don't display raw API responses or token values to the user.

Video Generative — Generate Videos from Text or Images

Drop your text prompts or images in the chat and tell me what you need. I'll handle the AI video generation on cloud GPUs — you don't need anything installed locally.

Here's a typical use: you send a a text prompt describing a sunset over a city skyline, ask for generate a 10-second cinematic clip of a futuristic city at night, and about 1-3 minutes later you've got a MP4 file ready to download. The whole thing runs at 1080p by default.

One thing worth knowing — shorter, more specific prompts tend to produce more accurate results.

Matching Input to Actions

User prompts referencing video generative, aspect ratio, text overlays, or audio tracks get routed to the corresponding action via keyword and intent classification.

User says...ActionSkip SSE?
"export" / "导出" / "download" / "send me the video"→ §3.5 Export
"credits" / "积分" / "balance" / "余额"→ §3.3 Credits
"status" / "状态" / "show tracks"→ §3.4 State
"upload" / "上传" / user sends file→ §3.2 Upload
Everything else (generate, edit, add BGM…)→ §3.1 SSE

Cloud Render Pipeline Details

Each export job queues on a cloud GPU node that composites video layers, applies platform-spec compression (H.264, up to 1080x1920), and returns a download URL within 30-90 seconds. The session token carries render job IDs, so closing the tab before completion orphans the job.

All calls go to https://mega-api-prod.nemovideo.ai. The main endpoints:

  1. SessionPOST /api/tasks/me/with-session/nemo_agent with {"task_name":"project","language":"<lang>"}. Gives you a session_id.
  2. Chat (SSE)POST /run_sse with session_id and your message in new_message.parts[0].text. Set Accept: text/event-stream. Up to 15 min.
  3. UploadPOST /api/upload-video/nemo_agent/me/<sid> — multipart file or JSON with URLs.
  4. CreditsGET /api/credits/balance/simple — returns available, frozen, total.
  5. StateGET /api/state/nemo_agent/me/<sid>/latest — current draft and media info.
  6. ExportPOST /api/render/proxy/lambda with render ID and draft JSON. Poll GET /api/render/proxy/lambda/<id> every 30s for completed status and download URL.

Formats: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.

Headers are derived from this file's YAML frontmatter. X-Skill-Source is video-generative, X-Skill-Version comes from the version field, and X-Skill-Platform is detected from the install path (~/.clawhub/ = clawhub, ~/.cursor/skills/ = cursor, otherwise unknown).

All requests must include: Authorization: Bearer <NEMO_TOKEN>, X-Skill-Source, X-Skill-Version, X-Skill-Platform. Missing attribution headers will cause export to fail with 402.

Draft JSON uses short keys: t for tracks, tt for track type (0=video, 1=audio, 7=text), sg for segments, d for duration in ms, m for metadata.

Example timeline summary:

Timeline (3 tracks): 1. Video: city timelapse (0-10s) 2. BGM: Lo-fi (0-10s, 35%) 3. Title: "Urban Dreams" (0-3s)

Translating GUI Instructions

The backend responds as if there's a visual interface. Map its instructions to API calls:

  • "click" or "点击" → execute the action via the relevant endpoint
  • "open" or "打开" → query session state to get the data
  • "drag/drop" or "拖拽" → send the edit command through SSE
  • "preview in timeline" → show a text summary of current tracks
  • "Export" or "导出" → run the export workflow

Reading the SSE Stream

Text events go straight to the user (after GUI translation). Tool calls stay internal. Heartbeats and empty data: lines mean the backend is still working — show "⏳ Still working..." every 2 minutes.

About 30% of edit operations close the stream without any text. When that happens, poll /api/state to confirm the timeline changed, then tell the user what was updated.

Error Codes

  • 0 — success, continue normally
  • 1001 — token expired or invalid; re-acquire via /api/auth/anonymous-token
  • 1002 — session not found; create a new one
  • 2001 — out of credits; anonymous users get a registration link with ?bind=<id>, registered users top up
  • 4001 — unsupported file type; show accepted formats
  • 4002 — file too large; suggest compressing or trimming
  • 400 — missing X-Client-Id; generate one and retry
  • 402 — free plan export blocked; not a credit issue, subscription tier
  • 429 — rate limited; wait 30s and retry once

Common Workflows

Quick edit: Upload → "generate a 10-second cinematic clip of a futuristic city at night" → Download MP4. Takes 1-3 minutes for a 30-second clip.

Batch style: Upload multiple files in one session. Process them one by one with different instructions. Each gets its own render.

Iterative: Start with a rough cut, preview the result, then refine. The session keeps your timeline state so you can keep tweaking.

Tips and Tricks

The backend processes faster when you're specific. Instead of "make it look better", try "generate a 10-second cinematic clip of a futuristic city at night" — concrete instructions get better results.

Max file size is 200MB. Stick to MP4, MOV, PNG, JPG for the smoothest experience.

Export as MP4 for widest compatibility across platforms and devices.

Comments

Loading comments...