Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Video Producer

v1.0.0

create raw video footage into polished MP4 videos with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators and small business owne...

0· 28·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (cloud-based video editing/exports) match the API endpoints and flows described in SKILL.md: session creation, upload, SSE-based editing, render/export. Requiring a NEMO_TOKEN for authorization is proportionate. However, the SKILL.md YAML metadata references a local config path (~/.config/nemovideo/) and install-path detection for X-Skill-Platform, while the registry metadata listed no required config paths — this mismatch is an incoherence.
!
Instruction Scope
Most runtime instructions stay within the stated purpose (establish session, upload files, run SSE edits, poll render). Concerns: (1) the skill instructs the agent to detect local install paths (~/.clawhub/, ~/.cursor/skills/) and include that platform string in an attribution header; (2) metadata refers to ~/.config/nemovideo/ (potential config probing); (3) instructions explicitly tell the agent to 'keep technical details out of the chat', which reduces transparency about network activity. Probing and sending local-path/config information to the remote API is outside what a typical video-editor skill strictly needs and risks leaking environment details.
Install Mechanism
Instruction-only skill with no install specification and no code files. This is the lowest-risk install pattern (nothing is written to disk by the skill itself).
!
Credentials
The only declared required credential is NEMO_TOKEN (primaryEnv), which is appropriate for a backend API. The skill provides an anonymous-token fallback flow that posts to the service to obtain a token (acceptable). The concern is that the SKILL.md metadata and request headers cause the agent to read local install/config paths (not declared as required in the registry) and include that information in requests, meaning filesystem data could be transmitted to the remote service. That is disproportionate to the core task and risks leaking local environment metadata. Also verify what privileges the NEMO_TOKEN grants before providing a long-lived token.
Persistence & Privilege
The skill does not request 'always: true' and has no install-time persistence. It does not ask to modify other skills or system-wide settings. Session tokens used for renders are ephemeral per the instructions.
What to consider before installing
This skill appears to be a legitimate cloud video-rendering front end and only needs an API token to run, but there are two things to watch for before installing/using it: (1) it instructs the agent to probe local install/config paths (~/.clawhub/, ~/.cursor/, ~/.config/nemovideo/) and to include that info in request headers — that can leak environment details to the remote service and is not necessary for basic upload/render operations; (2) confirm what scope and lifetime NEMO_TOKEN has. Prefer using the anonymous starter token when possible, avoid providing a long-lived full-access token, and only upload files you are comfortable sending to an external service. Ask the skill author to remove or make explicit the filesystem probes and to document exactly what NEMO_TOKEN permissions are and why local-path headers are needed. If you require higher assurance, request independent verification of the API domain (mega-api-prod.nemovideo.ai) and a privacy policy explaining how uploaded media and local metadata are stored and used.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN
latestvk9734abbpdsehjz1r3jp908aw5854zky
28downloads
0stars
1versions
Updated 19h ago
v1.0.0
MIT-0

Getting Started

Share your raw video footage and I'll get started on AI video creation. Or just tell me what you're thinking.

Try saying:

  • "create my raw video footage"
  • "export 1080p MP4"
  • "trim the footage, add background music,"

Getting Connected

Before handling any user request, establish a connection to the backend API. Show a brief status like "Connecting...".

If NEMO_TOKEN is in the environment, use it directly and create a session. Otherwise, acquire a free starter token:

  • Generate a UUID as client identifier
  • POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token with the X-Client-Id header
  • The response includes a token with 100 free credits valid for 7 days — use it as NEMO_TOKEN

Then create a session by POSTing to https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent with Bearer authorization and body {"task_name":"project","language":"en"}. The session_id in the response is needed for all following requests.

Tell the user you're ready. Keep the technical details out of the chat.

Free Video Producer — Create and Export Finished Videos

Drop your raw video footage in the chat and tell me what you need. I'll handle the AI video creation on cloud GPUs — you don't need anything installed locally.

Here's a typical use: you send a a 2-minute screen recording or phone clip, ask for trim the footage, add background music, and export as a shareable video, and about 1-2 minutes later you've got a MP4 file ready to download. The whole thing runs at 1080p by default.

One thing worth knowing — shorter clips under 60 seconds process significantly faster.

Matching Input to Actions

User prompts referencing free video producer, aspect ratio, text overlays, or audio tracks get routed to the corresponding action via keyword and intent classification.

User says...ActionSkip SSE?
"export" / "导出" / "download" / "send me the video"→ §3.5 Export
"credits" / "积分" / "balance" / "余额"→ §3.3 Credits
"status" / "状态" / "show tracks"→ §3.4 State
"upload" / "上传" / user sends file→ §3.2 Upload
Everything else (generate, edit, add BGM…)→ §3.1 SSE

Cloud Render Pipeline Details

Each export job queues on a cloud GPU node that composites video layers, applies platform-spec compression (H.264, up to 1080x1920), and returns a download URL within 30-90 seconds. The session token carries render job IDs, so closing the tab before completion orphans the job.

Headers are derived from this file's YAML frontmatter. X-Skill-Source is free-video-producer, X-Skill-Version comes from the version field, and X-Skill-Platform is detected from the install path (~/.clawhub/ = clawhub, ~/.cursor/skills/ = cursor, otherwise unknown).

Include Authorization: Bearer <NEMO_TOKEN> and all attribution headers on every request — omitting them triggers a 402 on export.

API base: https://mega-api-prod.nemovideo.ai

Create session: POST /api/tasks/me/with-session/nemo_agent — body {"task_name":"project","language":"<lang>"} — returns task_id, session_id.

Send message (SSE): POST /run_sse — body {"app_name":"nemo_agent","user_id":"me","session_id":"<sid>","new_message":{"parts":[{"text":"<msg>"}]}} with Accept: text/event-stream. Max timeout: 15 minutes.

Upload: POST /api/upload-video/nemo_agent/me/<sid> — file: multipart -F "files=@/path", or URL: {"urls":["<url>"],"source_type":"url"}

Credits: GET /api/credits/balance/simple — returns available, frozen, total

Session state: GET /api/state/nemo_agent/me/<sid>/latest — key fields: data.state.draft, data.state.video_infos, data.state.generated_media

Export (free, no credits): POST /api/render/proxy/lambda — body {"id":"render_<ts>","sessionId":"<sid>","draft":<json>,"output":{"format":"mp4","quality":"high"}}. Poll GET /api/render/proxy/lambda/<id> every 30s until status = completed. Download URL at output.url.

Supported formats: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.

SSE Event Handling

EventAction
Text responseApply GUI translation (§4), present to user
Tool call/resultProcess internally, don't forward
heartbeat / empty data:Keep waiting. Every 2 min: "⏳ Still working..."
Stream closesProcess final response

~30% of editing operations return no text in the SSE stream. When this happens: poll session state to verify the edit was applied, then summarize changes to the user.

Translating GUI Instructions

The backend responds as if there's a visual interface. Map its instructions to API calls:

  • "click" or "点击" → execute the action via the relevant endpoint
  • "open" or "打开" → query session state to get the data
  • "drag/drop" or "拖拽" → send the edit command through SSE
  • "preview in timeline" → show a text summary of current tracks
  • "Export" or "导出" → run the export workflow

Draft JSON uses short keys: t for tracks, tt for track type (0=video, 1=audio, 7=text), sg for segments, d for duration in ms, m for metadata.

Example timeline summary:

Timeline (3 tracks): 1. Video: city timelapse (0-10s) 2. BGM: Lo-fi (0-10s, 35%) 3. Title: "Urban Dreams" (0-3s)

Error Handling

CodeMeaningAction
0SuccessContinue
1001Bad/expired tokenRe-auth via anonymous-token (tokens expire after 7 days)
1002Session not foundNew session §3.0
2001No creditsAnonymous: show registration URL with ?bind=<id> (get <id> from create-session or state response when needed). Registered: "Top up credits in your account"
4001Unsupported fileShow supported formats
4002File too largeSuggest compress/trim
400Missing X-Client-IdGenerate Client-Id and retry (see §1)
402Free plan export blockedSubscription tier issue, NOT credits. "Register or upgrade your plan to unlock export."
429Rate limit (1 token/client/7 days)Retry in 30s once

Common Workflows

Quick edit: Upload → "trim the footage, add background music, and export as a shareable video" → Download MP4. Takes 1-2 minutes for a 30-second clip.

Batch style: Upload multiple files in one session. Process them one by one with different instructions. Each gets its own render.

Iterative: Start with a rough cut, preview the result, then refine. The session keeps your timeline state so you can keep tweaking.

Tips and Tricks

The backend processes faster when you're specific. Instead of "make it look better", try "trim the footage, add background music, and export as a shareable video" — concrete instructions get better results.

Max file size is 500MB. Stick to MP4, MOV, AVI, WebM for the smoothest experience.

Export as MP4 for widest compatibility across platforms and devices.

Comments

Loading comments...