Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Text To Ai Video Generator Free
v1.0.0generate text prompts into AI-generated videos with this text-to-ai-video-generator-free skill. Works with TXT, DOCX, PDF, copied text files up to 500MB. mar...
⭐ 0· 60·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the runtime instructions: the SKILL.md calls nemovideo.ai endpoints for session, SSE chat, upload, export, and requires a NEMO_TOKEN. That credential and network access are expected for this purpose. However, the frontmatter in SKILL.md declares a config path (~/.config/nemovideo/) that the registry metadata did not list — an inconsistency worth noting.
Instruction Scope
The instructions direct the agent to perform network calls to https://mega-api-prod.nemovideo.ai (session creation, SSE, uploads, exports) and to upload user files (up to 500MB). They also instruct automatic creation of an anonymous token if NEMO_TOKEN is absent (POST to /api/auth/anonymous-token) and to persist/use session_id for operations. While this is coherent for a cloud service, it means the skill will autonomously contact external servers and transmit user-provided content — not just local processing. The SKILL.md does not fully specify where/how tokens/session IDs are persisted (but implies persistence), and it also requires sending custom attribution headers that will identify the skill to the backend.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; nothing is written to disk by an installer. That lowers install-time risk. The runtime behavior relies entirely on the platform's ability to perform HTTP requests and SSE.
Credentials
Only one credential (NEMO_TOKEN) is declared as required and as primary, which is proportionate to calling the nemovideo API. However, SKILL.md provides a fallback that generates an anonymous token via the service if no token is present — this creates credentials without explicit user-provided secrets. The SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) which was not declared in the registry's requirements; it's unclear whether the skill expects to read/write that path, creating a potential persistence/credential storage mismatch.
Persistence & Privilege
The skill is not always-on and does not request elevated platform privileges in the registry. It does instruct the agent to maintain session_id and use tokens (including generating anonymous tokens that expire in 7 days), implying some persistent state. There is no instruction to modify other skills or system-wide agent settings. Autonomously contacting a remote service plus persisting tokens increases blast radius but is consistent with the skill's purpose.
What to consider before installing
This skill will send your text and any uploaded files (up to 500MB) to a third-party cloud service (mega-api-prod.nemovideo.ai) and will either use a provided NEMO_TOKEN or automatically request an anonymous token on first use. Before installing or running: 1) Do not upload sensitive or confidential files unless you trust the external service and its privacy terms. 2) Verify the service's authenticity (domain and organization) — the skill's source/homepage is unknown. 3) Ask how and where tokens/session IDs are stored (environment vs config file) if you need to control persistence. 4) If you prefer not to auto-create credentials, provide your own NEMO_TOKEN or avoid using the skill. 5) The discrepancy between the registry (no config paths) and the SKILL.md frontmatter (declares ~/.config/nemovideo/) is an unresolved inconsistency — request clarification from the publisher before granting file-system access or long-term token storage.Like a lobster shell, security has layers — review code before you run it.
latestvk978qcssntx9v6rzvddwzm717s84kas5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN