ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Generator Free

v1.0.0

Turn a short blog post about travel tips into 1080p ready-to-upload videos just by typing what you need. Whether it's generating YouTube videos from text or...

0· 37·0 current·0 all-time
by@vynbosserman65
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (generate YouTube videos from text) aligns with the runtime instructions that call a remote rendering API (nemovideo.ai). However the registry metadata and the SKILL.md disagree: registry lists no config paths while the SKILL.md frontmatter declares configPaths (~/.config/nemovideo/) and requires.env lists NEMO_TOKEN even though the SKILL.md contains a full anonymous-token acquisition flow. These inconsistencies look like sloppy packaging rather than an immediate red flag, but they should be clarified.
Instruction Scope
The SKILL.md instructs only network interactions with the named backend (auth, session creation, SSE streaming, upload, render) and modest local checks (detecting install path for an attribution header). It does not instruct reading unrelated system credentials or scanning arbitrary files. It does instruct storing the anonymous token and session_id for subsequent requests and to avoid showing raw token values to the user.
Install Mechanism
No install spec or downloaded code is present (instruction-only), so nothing is written to disk by the skill itself. This is the lowest-risk install model.
Credentials
The only credential referenced is NEMO_TOKEN (declared as primary), which is consistent with a third-party video service. However, the SKILL.md describes acquiring an anonymous token itself if NEMO_TOKEN is not present, so marking NEMO_TOKEN as a required environment variable in registry metadata is misleading. The SKILL.md also references a config path (~/.config/nemovideo/) in its frontmatter that the registry metadata omitted — this mismatch should be resolved. No unrelated tokens or high-privilege env vars are requested.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. It will store an acquired token and session_id for its own use (normal for an API-backed skill). It also inspects install paths for attribution headers, which is low-privilege but should be noted.
What to consider before installing
This skill will contact https://mega-api-prod.nemovideo.ai, obtain and store an anonymous token (unless you pre-provide NEMO_TOKEN), create sessions, stream SSE responses, upload files, and return download URLs. The core functionality aligns with its description, but the package metadata and the instructions disagree about whether a NEMO_TOKEN/config path is required — ask the publisher to clarify. Before installing: (1) confirm you trust the nemovideo.ai service and the unknown skill author, (2) do not supply any unrelated secrets (AWS, GitHub, etc.), (3) be aware the skill will send your uploaded media and text to a third-party server, and (4) if you want stricter control, require manual consent before the skill auto-fetches tokens or uploads files. If you need higher assurance, request the publisher to fix the metadata inconsistencies and provide a privacy/terms link for the backend.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b4vs1n896p072hjbxwcb9j184qyaz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments