ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Origami Tutorial Video

v1.0.0

Fold paper into art with clear step-by-step video instructions using AI — generate origami tutorial videos covering traditional models, modern designs, modul...

0· 61·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to produce AI-generated origami videos (NemoVideo). The declared primary credential NEMO_TOKEN is plausible for an external NemoVideo API, but the registry metadata lists no required env vars while the SKILL.md metadata sets primaryEnv: NEMO_TOKEN and a config path (~/.config/nemovideo/). Those cross-layer mismatches (registry vs SKILL.md) and the lack of a source or homepage reduce provenance and are inconsistent with a well-documented API integration.
!
Instruction Scope
This is an instruction-only skill whose SKILL.md is long and largely descriptive; the visible portion provides content and use cases but does not show concrete runtime steps (no API endpoints, no example requests, no explicit instructions to read the token or the config file). Yet the embedded metadata implies the agent should use NEMO_TOKEN and a local config path. That gap — instructions that are vague about how or when credentials/config are used — gives the agent broad discretion and is a scope/clarity concern. Note: the SKILL.md was truncated in the provided package; the full file might contain additional runtime instructions.
Install Mechanism
No install spec and no code files are present, so nothing will be downloaded or written to disk by an installer. Instruction-only skills have the lowest install risk.
Credentials
Requesting a single primary credential named NEMO_TOKEN is proportionate to a video-generation API integration in principle. However, requires.env is empty while primaryEnv is set in SKILL.md metadata, and the skill also lists a config path (~/.config/nemovideo/) — this inconsistency should be resolved. Without documentation, it's unclear whether the token is mandatory, how it will be used, or whether the skill will read other local secrets.
Persistence & Privilege
The skill does not request always:true and is user-invocable with normal autonomous invocation allowed. It does not appear to request system-wide persistence or modification of other skills.
What to consider before installing
Do not provide sensitive tokens yet. Ask the skill author for: (1) source code or a homepage/documentation URL for NemoVideo; (2) full SKILL.md/runtime steps showing exactly how NEMO_TOKEN and ~/.config/nemovideo/ are used; (3) API endpoints, example requests/responses, and what data (video content, user metadata) is sent to external servers and how long it's retained; (4) confirmation that the skill will not read other local files or other env vars. If you must test, create a scoped/test NEMO_TOKEN with minimal permissions and monitor network/activity. If the author cannot provide clear documentation or code, avoid installing the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk971d6pb9h067f972zcrh32g3h83tcv4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦢 Clawdis
Primary envNEMO_TOKEN

Comments