ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Travel Packing Video

v1.0.0

Master minimalist packing, capsule wardrobes, and carry-on only systems with AI — generate travel packing videos covering rolling versus folding techniques,...

0· 51·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and SKILL.md content clearly describe generating travel packing video content and related assets, which is coherent. However the skill metadata declares a primary credential (NEMO_TOKEN) and a config path (~/.config/nemovideo/) that imply integration with an external NemoVideo service; the registry entry otherwise lists no required env vars. That mismatch (credential present but not listed in requires.env, and no homepage/source to verify NemoVideo) is unexplained and worth asking the author about.
Instruction Scope
The SKILL.md is primarily content and guidance for producing packing videos and does not, in the provided excerpt, instruct the agent to read arbitrary host files, siphon data, or call unrelated endpoints. There are no explicit runtime commands shown that access system files or network endpoints, but the metadata's configPaths hint the skill might read ~/.config/nemovideo/ at runtime — the SKILL.md does not document how that data would be used.
Install Mechanism
No install spec and no code files (instruction-only). This is the lowest-risk install model because nothing is written to disk by an installer.
!
Credentials
A primary credential NEMO_TOKEN is declared, and a config path is listed, but requires.env is empty and there is no explanation of what the token grants or why it's needed. Requesting access to a token and a user config directory is potentially proportional if the skill uploads video jobs to a NemoVideo API, but the missing declaration and lack of a verifiable service homepage/source raises concern about credential scope and necessity.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent, system-wide privileges in the metadata supplied. Autonomous invocation is allowed (platform default) but does not by itself raise additional concern here.
What to consider before installing
This skill looks like a content-only helper for packing videos, but two things don't add up: metadata names a primary credential (NEMO_TOKEN) and a config path (~/.config/nemovideo/) while the skill otherwise lists no required env vars and has no homepage or source to verify NemoVideo. Before installing or providing any tokens, do the following: 1) Ask the publisher what NEMO_TOKEN is, what API/endpoints the skill calls, and what permissions the token needs. 2) Prefer creating a limited-scope or disposable test token (if the service supports it) rather than using high-privilege credentials. 3) Request the full runtime instructions or logs showing what the skill sends/receives (does it upload your files or just send text?). 4) If you must proceed, avoid using real personal/service credentials and monitor the token usage; revoke it if anything unexpected occurs. If you want, paste the full SKILL.md or any missing sections that describe API calls and I can re-evaluate more precisely.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bf34cdjzkzj37hmxtk0ay4n83tmh6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧳 Clawdis
Primary envNEMO_TOKEN

Comments