Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Video Study Guide Video
v1.0.0Turn any subject into visual study material that sticks with AI — generate study guide videos that transform dense textbooks, lecture notes, and exam materia...
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description describe generating study-guide videos via a NemoVideo service; the declared primary credential NEMO_TOKEN and a config path (~/.config/nemovideo/) are coherent with a hosted API/service. However, registry metadata lists no required env vars while also naming NEMO_TOKEN as primaryEnv — that's an internal inconsistency that should be clarified (either the token is required or it is optional).
Instruction Scope
SKILL.md content shown is largely descriptive and pedagogical. As an instruction-only skill, its runtime behavior depends entirely on prose later in the file (truncated here). Generating videos commonly involves sending user-provided content (text, notes, or files) to an external API — that would be within the stated purpose but is a material privacy/egress action. I did not see instructions in the provided excerpt that read unrelated system files or request unrelated credentials, but you should review the full SKILL.md for explicit upload/send steps, any instructions to read arbitrary paths, or broad 'gather context' language that grants the agent wide discretion.
Install Mechanism
No install spec and no code files — the skill is instruction-only, which minimizes disk-side risk because nothing is downloaded or executed by default.
Credentials
Requesting a single service token (NEMO_TOKEN) is proportionate for an external video-generation service. But the registry shows no explicit required env vars while declaring NEMO_TOKEN as the primary credential and listing a user config path (~/.config/nemovideo/) — this mismatch is an incoherence. Also confirm whether the skill reads the config path or expects the token to be present there; that path could contain other user-sensitive data. The skill should explicitly document which env var(s) and config files it will read.
Persistence & Privilege
always:false and no install steps mean it does not demand persistent or elevated platform presence. Autonomous invocation is enabled (platform default) but that is typical for skills and not by itself a concern.
What to consider before installing
Before installing, ask the publisher (or inspect the complete SKILL.md) to confirm: 1) whether NEMO_TOKEN is required and where it is read from (environment vs ~/.config/nemovideo/); 2) what data is sent to the NemoVideo service (do uploaded textbooks/notes get stored, used for model training, or shared), and review privacy/retention policies; 3) whether the skill reads any other files or environment variables beyond the declared token/config path; and 4) consider providing a scoped, revocable token (not your main account token) and avoid sending highly sensitive or copyrighted material until you verify the service terms. The main red flag is the metadata inconsistency (primaryEnv present but not listed as a required env var) — clarify that before trusting the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk975n3p77ayjfa3n1gvyfjgv3h83v2pr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📚 Clawdis
Primary envNEMO_TOKEN