Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Video Homeschool Video Maker
v1.0.0Create complete curriculum-aligned video lessons for home education with AI — generate homeschool video content covering every core subject with age-appropri...
⭐ 0· 55·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's purpose (AI-generated homeschool video lessons) reasonably aligns with needing an external video-generation service credential (NEMO_TOKEN). However the manifest is inconsistent: requires.env is empty while primaryEnv is set to NEMO_TOKEN. That mismatch reduces transparency about what credentials will be read or required at runtime.
Instruction Scope
This is an instruction-only skill (no code) but its metadata requests access to a user config path (~/.config/nemovideo/). The SKILL.md text (truncated here) describes content generation but does not justify reading or writing that config directory. Instruction-only skills are hard to audit because the runtime behavior depends entirely on instructions and the platform's integration with user files/config; asking for a config path without an explicit, scoped reason is concerning.
Install Mechanism
No install spec and no code files are provided, so nothing will be downloaded or written by an installer. That lowers risk relative to skills that fetch and execute remote archives.
Credentials
A primary credential (NEMO_TOKEN) is declared but requires.env is empty, creating ambiguity about whether and how the token will be requested or used. The skill also declares a config path where credentials or tokens might be stored or read. Requesting token access and a config directory without explicitly documenting required env vars, token scope, or endpoints is disproportionate to what the description explains.
Persistence & Privilege
always is false and there are no declarations that the skill will persistently modify other agent-wide settings. Autonomous invocation is permitted (platform default), which is normal, but because the skill requests credential/config access, autonomous invocation increases risk and should be considered when authorizing.
What to consider before installing
This skill appears to be an instruction-only wrapper around a service called “NemoVideo” (NEMO_TOKEN is the primary credential). Before installing or providing any token: 1) ask the publisher what NEMO_TOKEN is (service URL, exact API scopes, token lifetime) and why the skill needs ~/.config/nemovideo/ access; 2) request clear documentation of what data is sent to external endpoints and whether video/audio/student or child data is uploaded or logged; 3) prefer issuing an ephemeral or least-privilege token (not a long-lived account token) and avoid using broadly-scoped secrets; 4) if possible, test in a sandbox account or environment first; 5) if the skill author cannot explain the config path and credential usage, treat it as risky. Because this skill has no code files to inspect, the manifest inconsistencies (primaryEnv present but not declared in requires.env and an unexplained config path) are the primary red flags. Additional information that would raise confidence: a clear README describing the exact API endpoints used, a public homepage or source repo, and an updated manifest that explicitly lists required env vars and explains the config directory usage.Like a lobster shell, security has layers — review code before you run it.
latestvk978123cns9jkcbfcdhearcj9n83t7a5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏡 Clawdis
Primary envNEMO_TOKEN