Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Video Adventure Travel Video
v1.0.0Capture extreme destinations, adrenaline activities, and expedition stories with AI — generate adventure travel videos covering multi-day treks, wildlife enc...
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (AI video generation for adventure travel) is consistent with asking for a single service token (NEMO_TOKEN) if it talks to an external 'Nemo' API. However the registry metadata shows no required env-vars list while also declaring a primaryEnv NEMO_TOKEN and a config path (~/.config/nemovideo/). That mix is slightly inconsistent: a remote-video service would normally declare the API key in requires.env and need not require local config access.
Instruction Scope
The SKILL.md is an instruction-only document describing many content-generation use cases. The visible content focuses on video content, logistics, and safety context and does not obviously instruct the agent to read unrelated files. However the skill metadata explicitly requests access to a local config path (~/.config/nemovideo/), which could contain unrelated user credentials or other sensitive data. The SKILL.md itself (as provided) does not show concrete runtime commands or external endpoints beyond implying 'NemoVideo' service usage, so it's unclear exactly what data would be read or transmitted at runtime.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes disk writes and reduces installation risk: nothing is downloaded or installed by the skill itself.
Credentials
The skill declares a single primary credential (NEMO_TOKEN), which is proportionate for a remote service. But the top-level 'required env vars' list is empty while primaryEnv is set, and the skill also requests a user config path (~/.config/nemovideo/). Requesting a local config directory in addition to an API token increases the amount of sensitive data the skill could access and is not justified by the visible instructions. Also there is no homepage or source URL to verify what Nemo/NemoVideo is or what token scopes are expected.
Persistence & Privilege
always is false (not force-included), and disable-model-invocation is false (normal). The skill does not request persistent platform privileges or modification of other skills. Autonomous invocation is allowed by default — not flagged on its own — but combined with the credential/config path concerns it increases the need for caution.
What to consider before installing
This skill appears to be an instruction-only integration that likely uses an external NemoVideo service. Before installing or enabling it: 1) Ask the publisher for a source or homepage and documentation for 'NemoVideo' so you can verify the service and token scope. 2) Treat NEMO_TOKEN like any API secret — only provide a token with minimal scope and be ready to revoke it if anything looks wrong. 3) Confirm why the skill needs access to ~/.config/nemovideo/ and inspect that directory's contents yourself; do not grant access to a directory containing other credentials. 4) Because there is no install or code, the main risk is data exfiltration at runtime — ask the maintainer to specify exact endpoints the skill calls and what user data it sends. 5) If you must test, run the skill in a restricted environment (isolated account or VM) and monitor network traffic and file reads, then revoke the token when finished.Like a lobster shell, security has layers — review code before you run it.
latestvk97cw0aaj8erbedqxbz82183nh83tkvh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⛰️ Clawdis
Primary envNEMO_TOKEN