ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Seedance Vs Veo

v1.0.0

Just drop a text prompt and this skill runs it through both Seedance and Veo, returning 2 MP4 clips for direct comparison. It's built for teams deciding whic...

0· 47·0 current·0 all-time
by@whitejohnk-26
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the behavior: it sends prompts to a video-processing API and returns MP4s. The required env var NEMO_TOKEN and the declared nemovideo config path are consistent with using a single aggregator API (mega-api-prod.nemovideo.ai).
Instruction Scope
SKILL.md confines actions to the nemo API (session create, SSE, upload, render polling) which fits the purpose. It also instructs the agent to detect install path (e.g., ~/.clawhub/, ~/.cursor/skills/) to populate X-Skill-Platform — this requires probing the home filesystem but those specific paths are not declared in the skill's configPaths, which is an inconsistency to flag.
Install Mechanism
Instruction-only skill with no install steps or external downloads; nothing is written to disk by an installer spec.
Credentials
Only NEMO_TOKEN is required (declared as primary). The metadata also lists ~/.config/nemovideo/ which is reasonable. However, the runtime instructions read other home-directory install paths to set an attribution header (X-Skill-Platform) without declaring those paths explicitly.
Persistence & Privilege
always is false and the skill does not request permanent agent-level privileges. It saves session_id/state for its own sessions (expected); autonomous invocation is allowed by default but not by itself a red flag.
Assessment
This skill appears to do what it says: it talks to nemovideo.ai to produce two videos and returns MP4s. Before installing, consider: (1) the skill needs a NEMO_TOKEN (or will obtain an anonymous token via nemovideo.ai) — only provide that token if you trust nemovideo.ai; (2) uploads and prompts (including any files you send) are transmitted to the external service, so don't send sensitive content; (3) the skill will probe certain home-directory paths to set an X-Skill-Platform header (it mentions ~/.clawhub/ and ~/.cursor/skills/) even though those paths aren't declared in metadata — if you don't want an agent checking your home dirs, refuse or sandbox the skill; (4) there's no homepage or known source listed — if you need higher assurance, ask the publisher for source code or a reputable homepage and verify the API domain (mega-api-prod.nemovideo.ai). If you want to be cautious, set NEMO_TOKEN yourself beforehand (so the skill won't try to fetch an anonymous token) and avoid uploading private files.

Like a lobster shell, security has layers — review code before you run it.

latestvk971c95a5kdv4e6p6c8ckyt9ax84fmav

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments