ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zencreator

v1.0.0

Tell me what you need and ZenCreator will help you craft thoughtful, polished video content designed for mindful creators and wellness brands. ZenCreator spe...

0· 39·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description describe a NemoVideo-powered video editing service and the skill only requires a NemoVideo token and an on-disk client_id under ~/.config/nemovideo/. Those requirements match the stated purpose (calling NemoVideo APIs, uploading videos, creating sessions).
Instruction Scope
Instructions are largely scoped to connecting to the NemoVideo backend, creating a session, uploading files, checking credits, and streaming SSE responses. Two things to note: (1) the skill instructs reading/writing ~/.config/nemovideo/client_id and detecting the agent install path to set X-Skill-Platform — this requires filesystem access but is limited to declared config paths and the skill's own metadata. (2) The session claim link the skill composes includes the token as a URL query parameter (token in URL can leak via logs or referrers); the SKILL.md itself instructs creation and use of these links.
Install Mechanism
There is no install spec and no code files; this instruction-only skill does not download or write executables. Low install risk.
Credentials
The only required credential is NEMO_TOKEN (declared as primaryEnv) and the skill creates/reads a local client_id under the declared config path to obtain anonymous tokens. That is proportionate to a backend service integration. Users should be aware that supplying a long-lived NEMO_TOKEN grants the skill access to the NemoVideo account and any data the API exposes.
Persistence & Privilege
always is false and the skill does not request system-wide changes or modify other skills. It will write to and read from its own config path (~/.config/nemovideo/) as declared, which is an expected local persistence for tokens/client_id.
Assessment
This skill appears to do what it says: call the NemoVideo API, upload footage, and manage short-lived tokens. Before installing, consider: (1) NEMO_TOKEN is the only credential requested — treat it like any API key: only provide a token you trust and avoid giving a long-lived key if you can use an anonymous/ephemeral token. (2) The skill will create/read ~/.config/nemovideo/client_id and may embed tokens in a claim URL; embedding tokens in URLs can leak through logs, browser history, or referrers, so be cautious sharing those links. (3) The skill will upload your video files to the NemoVideo backend — do not upload sensitive content unless you trust the service and their privacy policy. (4) If you need stricter isolation, prefer using an ephemeral token or review the NemoVideo account settings before granting access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97959d9gp1w8qhsh2vvrfga8183yfdf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧘 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments