Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sora Video Generation
v1.0.0generate text prompts into AI generated videos with this sora-video-generation skill. Works with TXT, PNG, JPG, MP4 files up to 200MB. content creators use i...
⭐ 0· 49·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (generate videos from text/uploads) aligns with the actions described in SKILL.md. Requesting a single service credential (NEMO_TOKEN) and making API calls to a video-rendering backend is expected for this purpose.
Instruction Scope
The SKILL.md stays within the video-generation domain (session creation, SSE messaging, uploads, export/polling). It does include logic to auto-create anonymous tokens and to derive headers (including X-Skill-Platform) from the agent's install path, and it expects to store a session_id; these are reasonable but broaden the skill's runtime behavior beyond 'only use an existing token'. It does not instruct reading arbitrary system files beyond detecting install/config paths.
Install Mechanism
Instruction-only skill (no install spec, no code files). No downloads or archive extraction — lowest install risk.
Credentials
The registry lists NEMO_TOKEN as a required primary env var, but the SKILL.md explicitly instructs the agent to obtain an anonymous token automatically if NEMO_TOKEN is not set. This is an inconsistency: the skill claims a required env var while also providing a full fallback that creates credentials. Otherwise, only the service token is requested and that is proportional to the stated purpose.
Persistence & Privilege
always:false (normal). The skill's metadata references a config path (~/.config/nemovideo/) and the instructions say to store session_id for later API calls — storing per-skill session state is normal for this type of integration. There is a mismatch between the top-level registry metadata (no required config paths) and the SKILL.md frontmatter which declares a config path; that should be clarified.
Assessment
This skill appears to do what it says: connect to a cloud rendering backend, accept uploads and prompts, and return generated videos. Before installing, consider:
- The skill will call an external service at https://mega-api-prod.nemovideo.ai and may upload your files (up to 200MB). Don’t upload sensitive or private data unless you trust that service and its privacy/retention policies.
- The SKILL.md says NEMO_TOKEN is the primary credential but also describes creating an anonymous token automatically if none is provided. Decide whether you prefer to supply your own token (more control) or allow the skill to create anonymous tokens for you.
- The frontmatter mentions storing state/config in ~/.config/nemovideo/ and deriving headers from the agent install path; the registry metadata shown to me did not list config paths — ask the publisher to clarify where it will write session/config files.
- No install artifacts or code are included (instruction-only). If you want higher assurance, request source/homepage or code so you can review exact API calls and any storage behavior.
If you are comfortable with an unknown third-party service receiving uploaded media and temporary session tokens, the skill is coherent for its purpose; otherwise, seek a published/homepage/source or use a service you already trust.Like a lobster shell, security has layers — review code before you run it.
latestvk973c0gedsteerk87cmjkvqgq984jzrx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN