by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill is broadly consistent with a cloud-based video watermark/branding service, but review these points before installing: 1) It will contact an external API (mega-api-prod.nemovideo.ai) and will create an anonymous NEMO_TOKEN for you if none is present — ask where that token and session_id are stored and how long they persist. 2) The skill intends to 'detect' the local install path to set an attribution header — confirm whether the agent will read local filesystem paths and whether that e...详细分析 ▾
ℹ 用途与能力
The skill's name and description (video branding via a cloud rendering backend) align with its API calls and required NEMO_TOKEN credential. However, the SKILL.md frontmatter lists a required config path (~/.config/nemovideo/) while the registry metadata presented earlier omitted config paths — this mismatch is an incoherence in declared requirements.
ℹ 指令范围
Instructions stay focused on upload, session management, SSE, and export workflows for the nemovideo backend. They also direct the agent to auto-obtain an anonymous token and persist a session_id. Two points to note: (1) the instructions say to 'detect' the install path to set X-Skill-Platform (this implies the agent may inspect local paths or runtime environment), and (2) the doc tells the agent not to display raw API responses or token values to the user, which is unusual guidance that hides sensitive values from the user interface.
✓ 安装机制
No install spec and no code files (instruction-only). That is the lowest install risk — nothing is written to disk by an installer step in the skill package itself.
ℹ 凭证需求
The skill requests a single credential (NEMO_TOKEN), which is proportional for a remote API. However, it instructs the agent to create and store an anonymous token automatically if one isn't present. Automatic token issuance and local storage are reasonable, but you should confirm where the token/session are stored and their lifetime/permissions. The guidance to avoid showing token values to the user reduces transparency.
ℹ 持久化与权限
always:false (no forced presence). The skill expects to store session_id and token for subsequent calls (persistence within the agent). This is expected for a session-based API but you should confirm storage location and retention (orphaned render jobs are noted). The skill also reads/detects install paths to derive X-Skill-Platform, which implies modest filesystem inspection.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/13
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install video-maker-logo-free
镜像加速npx clawhub@latest install video-maker-logo-free --registry https://cn.longxiaskill.com