by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (generate short videos via a cloud backend) is plausible, but there are inconsistencies and a few behaviors that deserve caution before installing.
评估建议
This skill will upload your media and prompts to a remote service (mega-api-prod.nemovideo.ai) and needs a NEMO_TOKEN. If you don't provide one, it will automatically request an anonymous token and use that account to run jobs. Before installing, confirm: 1) the service domain is trustworthy and you accept uploading potentially sensitive media there; 2) where and whether the anonymous token or any credentials are stored (are they persisted to disk under ~/.config/nemovideo/?); 3) the privacy/ret...详细分析 ▾
ℹ 用途与能力
The skill claims to perform cloud video generation and only requests a single credential (NEMO_TOKEN), which matches the purpose. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — an internal inconsistency about what local config it expects.
ℹ 指令范围
Instructions are explicit about creating a session, uploading media, streaming SSE for generation, and exporting results to a download URL on mega-api-prod.nemovideo.ai. It also instructs the agent to automatically obtain an anonymous token if NEMO_TOKEN is missing (POST to /api/auth/anonymous-token). Automatically acquiring and using credentials on first use is plausible but broad — it means the skill will call an external auth endpoint and then use that token to upload user media. The instructions do not direct the agent to read unrelated files or unrelated env vars, but they do describe determining an 'install path' to set an X-Skill-Platform header (this implies checking agent install paths), which is peripheral to core generation functionality.
✓ 安装机制
No install spec or code files are present; this is instruction-only, so nothing will be written to disk by an installer. That minimizes install-time risk.
⚠ 凭证需求
The primaryEnv is NEMO_TOKEN which is appropriate for a cloud video service. But the SKILL.md frontmatter declares a configPaths entry (~/.config/nemovideo/) while the registry metadata shows no required config paths — this mismatch is unexplained. Also the skill will automatically request and use an anonymous token if none is present, which could create credentials without an explicit user action and lead to uploads under that anonymous account. The headers and attribution requirements (X-Skill-Source / Version / Platform) are unusual but not inherently malicious; they do add identifiers that are sent with every request.
✓ 持久化与权限
The skill is not always-enabled and does not request elevated platform privileges. Autonomous invocation is allowed (default) but not combined with other high-risk factors here. The skill does interact with a remote service and may create session tokens, but it does not declare any ability to modify other skills or system-wide settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/21
Initial release of Generator Generator Simple — generate videos from short text prompts. - Quickly create 30-second AI-generated videos by describing your idea in plain text. - Upload MP4, MOV, WebM, or GIF files up to 200MB and process them automatically—no editing software needed. - Simple session setup with automatic cloud authentication (100 free credits for new users). - Intuitive prompts guide video creation, export, credits check, and file upload via smart keyword detection. - Full support for cloud-based video rendering, preview, timeline editing, and export to 1080p MP4. - Clear error handling and feedback throughout the generation process.
● 无害
安装命令
点击复制官方npx clawhub@latest install generator-generator-simple
镜像加速npx clawhub@latest install generator-generator-simple --registry https://cn.longxiaskill.com