ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Cruise Travel Video

v1.0.0

Plan routes, compare cruise lines, and film the open ocean experience with AI — generate cruise travel videos covering itinerary comparison, onboard daily li...

0· 45·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the intended capability (cruise itinerary/video content generation). Declaring a service token (NEMO_TOKEN) and a NemoVideo config path could be reasonable if the skill integrates with an external NemoVideo API, but the registry lists no required env vars while metadata names a primary credential—this mismatch is unexplained.
Instruction Scope
The SKILL.md content is focused on cruise video content generation and (in the visible excerpt) does not instruct the agent to read unrelated system files or transmit data to unexpected endpoints. However the SKILL.md shown does not explicitly show how the agent should obtain or use NEMO_TOKEN or the config path, leaving runtime behavior ambiguous.
Install Mechanism
No install spec and no code files are present (instruction-only), which minimizes disk-writing/execution risk.
!
Credentials
Metadata declares a primary credential (NEMO_TOKEN) and a config path (~/.config/nemovideo/) but the skill's 'required env vars' list is empty and the SKILL.md does not clearly justify or document access to these secrets/config files. This inconsistency raises the possibility of undisclosed secret access or unclear token handling.
Persistence & Privilege
always is false and the skill is user-invocable only; there is no sign it attempts to modify other skills or request permanent, automatic inclusion.
What to consider before installing
This skill appears to do what it says (create cruise travel video content), but metadata inconsistencies and missing source/homepage are red flags. Before installing or providing credentials: 1) Ask the author/vendor for the NemoVideo service URL, privacy policy, and why NEMO_TOKEN is needed. 2) Confirm where and how the skill expects to find NEMO_TOKEN (env var vs ~/.config/nemovideo/) and whether it will store or transmit the token. 3) If you don't trust or recognize the NemoVideo provider, do not supply secrets. 4) Because the skill is instruction-only, it can't hide binaries, but unspecified runtime behavior (reading your home config) is possible—inspect the full SKILL.md for explicit runtime steps or request the full instructions/source before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ew5x47wzn6zkj3kreez07sh83t8bw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛳️ Clawdis
Primary envNEMO_TOKEN

Comments