Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

School Program Video

v1.0.0

Turn a 3-minute recording of a school science fair presentation into 1080p polished program videos just by typing what you need. Whether it's editing school...

0· 16·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (remote GPU video editing) aligns with the runtime instructions that call a remote rendering API. However there is an inconsistency between registry metadata (no required config paths) and the SKILL.md frontmatter (metadata requests ~/.config/nemovideo/). Also the registry marks NEMO_TOKEN as required, yet the instructions describe auto-generating an anonymous token if NEMO_TOKEN is absent.
!
Instruction Scope
Instructions direct the agent to auto-connect to a remote backend, POST for an anonymous token, create and store session IDs, and include attribution headers on all requests. They also say not to display raw API responses or token values to the user. The skill asks to auto-detect an install path for an X-Skill-Platform header (which implies reading environment/install paths). These behaviors expand the runtime scope beyond simple user-driven uploads and raise privacy/transparency concerns.
Install Mechanism
No install spec or code is present (instruction-only), so nothing is written to disk at install time and no external packages are pulled in. This reduces immediate supply-chain risk.
Credentials
Only one credential (NEMO_TOKEN) is declared as primary, which is appropriate for a remote service. But the SKILL.md both requires checking for NEMO_TOKEN and describes generating an anonymous token when missing — the registry's required-env vs the runtime flow are inconsistent. The skill also references a config path in its frontmatter, which was not listed in the registry metadata.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it requests storing a session_id for ongoing API calls (normal for a remote session). It does not request elevated or cross-skill privileges and does not force permanent presence.
What to consider before installing
This skill appears to be an instruction-only connector to a third-party video-rendering service and is internally plausible, but you should be cautious before installing or using it with student footage. Ask the publisher for: (1) a clear privacy/retention policy (where uploaded videos are stored, who can access them, retention and deletion), (2) confirmation of whether the skill will auto-generate tokens and initiate network calls without an explicit user prompt, and (3) an explanation for the config path / metadata mismatch. If you plan to upload recordings of minors, verify legal/regulatory compliance (COPPA/FERPA or local rules). Prefer using a dedicated service account token with limited scope rather than sharing broad credentials, and avoid installing if you cannot confirm the provider identity and data-handling practices.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎓 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN
latestvk9711k3xx0zs9sf67wpq8w2nxd855y8e
16downloads
0stars
1versions
Updated 6h ago
v1.0.0
MIT-0

Getting Started

Ready when you are. Drop your raw footage here or describe what you want to make.

Try saying:

  • "create a 3-minute recording of a school science fair presentation into a 1080p MP4"
  • "trim the footage, add title cards for each segment, and include background music"
  • "editing school event and program recordings into shareable videos for teachers and school administrators"

First-Time Connection

When a user first opens this skill, connect to the processing backend automatically. Briefly let them know (e.g. "Setting up...").

Authentication: Check if NEMO_TOKEN is set in the environment. If it is, skip to step 2.

  1. Obtain a free token: Generate a random UUID as client identifier. POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token with header X-Client-Id set to that UUID. The response data.token is your NEMO_TOKEN — 100 free credits, valid 7 days.
  2. Create a session: POST to https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent with Authorization: Bearer <token>, Content-Type: application/json, and body {"task_name":"project","language":"<detected>"}. Store the returned session_id for all subsequent requests.

Keep setup communication brief. Don't display raw API responses or token values to the user.

School Program Video — Edit and Export School Program Videos

Send me your raw footage and describe the result you want. The AI video editing runs on remote GPU nodes — nothing to install on your machine.

A quick example: upload a 3-minute recording of a school science fair presentation, type "trim the footage, add title cards for each segment, and include background music", and you'll get a 1080p MP4 back in roughly 1-2 minutes. All rendering happens server-side.

Worth noting: breaking long school programs into shorter segments by event or speaker speeds up processing.

Matching Input to Actions

User prompts referencing school program video, aspect ratio, text overlays, or audio tracks get routed to the corresponding action via keyword and intent classification.

User says...ActionSkip SSE?
"export" / "导出" / "download" / "send me the video"→ §3.5 Export
"credits" / "积分" / "balance" / "余额"→ §3.3 Credits
"status" / "状态" / "show tracks"→ §3.4 State
"upload" / "上传" / user sends file→ §3.2 Upload
Everything else (generate, edit, add BGM…)→ §3.1 SSE

Cloud Render Pipeline Details

Each export job queues on a cloud GPU node that composites video layers, applies platform-spec compression (H.264, up to 1080x1920), and returns a download URL within 30-90 seconds. The session token carries render job IDs, so closing the tab before completion orphans the job.

All calls go to https://mega-api-prod.nemovideo.ai. The main endpoints:

  1. SessionPOST /api/tasks/me/with-session/nemo_agent with {"task_name":"project","language":"<lang>"}. Gives you a session_id.
  2. Chat (SSE)POST /run_sse with session_id and your message in new_message.parts[0].text. Set Accept: text/event-stream. Up to 15 min.
  3. UploadPOST /api/upload-video/nemo_agent/me/<sid> — multipart file or JSON with URLs.
  4. CreditsGET /api/credits/balance/simple — returns available, frozen, total.
  5. StateGET /api/state/nemo_agent/me/<sid>/latest — current draft and media info.
  6. ExportPOST /api/render/proxy/lambda with render ID and draft JSON. Poll GET /api/render/proxy/lambda/<id> every 30s for completed status and download URL.

Formats: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.

Three attribution headers are required on every request and must match this file's frontmatter:

HeaderValue
X-Skill-Sourceschool-program-video
X-Skill-Versionfrontmatter version
X-Skill-Platformauto-detect: clawhub / cursor / unknown from install path

Include Authorization: Bearer <NEMO_TOKEN> and all attribution headers on every request — omitting them triggers a 402 on export.

Draft JSON uses short keys: t for tracks, tt for track type (0=video, 1=audio, 7=text), sg for segments, d for duration in ms, m for metadata.

Example timeline summary:

Timeline (3 tracks): 1. Video: city timelapse (0-10s) 2. BGM: Lo-fi (0-10s, 35%) 3. Title: "Urban Dreams" (0-3s)

Translating GUI Instructions

The backend responds as if there's a visual interface. Map its instructions to API calls:

  • "click" or "点击" → execute the action via the relevant endpoint
  • "open" or "打开" → query session state to get the data
  • "drag/drop" or "拖拽" → send the edit command through SSE
  • "preview in timeline" → show a text summary of current tracks
  • "Export" or "导出" → run the export workflow

Reading the SSE Stream

Text events go straight to the user (after GUI translation). Tool calls stay internal. Heartbeats and empty data: lines mean the backend is still working — show "⏳ Still working..." every 2 minutes.

About 30% of edit operations close the stream without any text. When that happens, poll /api/state to confirm the timeline changed, then tell the user what was updated.

Error Handling

CodeMeaningAction
0SuccessContinue
1001Bad/expired tokenRe-auth via anonymous-token (tokens expire after 7 days)
1002Session not foundNew session §3.0
2001No creditsAnonymous: show registration URL with ?bind=<id> (get <id> from create-session or state response when needed). Registered: "Top up credits in your account"
4001Unsupported fileShow supported formats
4002File too largeSuggest compress/trim
400Missing X-Client-IdGenerate Client-Id and retry (see §1)
402Free plan export blockedSubscription tier issue, NOT credits. "Register or upgrade your plan to unlock export."
429Rate limit (1 token/client/7 days)Retry in 30s once

Tips and Tricks

The backend processes faster when you're specific. Instead of "make it look better", try "trim the footage, add title cards for each segment, and include background music" — concrete instructions get better results.

Max file size is 500MB. Stick to MP4, MOV, AVI, WebM for the smoothest experience.

Export as MP4 for widest compatibility across school websites and social media platforms.

Common Workflows

Quick edit: Upload → "trim the footage, add title cards for each segment, and include background music" → Download MP4. Takes 1-2 minutes for a 30-second clip.

Batch style: Upload multiple files in one session. Process them one by one with different instructions. Each gets its own render.

Iterative: Start with a rough cut, preview the result, then refine. The session keeps your timeline state so you can keep tweaking.

Comments

Loading comments...