ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Travel Photography Video

v2.0.0

Teach composition, lighting, and storytelling for stunning travel shots with AI — generate travel photography videos covering golden hour technique, street p...

0· 55·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (generate travel photography videos, tutorials) align with the declared primary credential NEMO_TOKEN (presumably to call a NemoVideo service). However the registry metadata is inconsistent: requires.env is empty but primaryEnv is set to NEMO_TOKEN, and configPaths includes ~/.config/nemovideo/, which is not explained in the description. The lack of homepage/source also makes provenance unclear.
!
Instruction Scope
This is an instruction-only skill (SKILL.md present, no code). The provided SKILL.md describes producing videos, scouting locations, and explaining camera settings — all reasonable. But the metadata directs access to a user config path (~/.config/nemovideo/). The SKILL.md excerpt does not justify reading local user config or other unrelated files; instructions that access local config could expose tokens or personal data and are not explained in the doc.
Install Mechanism
No install spec and no code files — lowest-risk execution model. The skill is instruction-only, so nothing is downloaded or written by a packaged installer.
!
Credentials
Only one credential (primaryEnv NEMO_TOKEN) is declared, which is plausible for a third-party video-generation API. But requires.env is empty (inconsistent) and configPaths references a user config directory that likely contains secrets. Requesting access to a config directory without documenting why is disproportionate and potentially risky (it could expose unrelated credentials or personal data).
Persistence & Privilege
always is false and the skill is not forced into every agent run. It does not request persistent/system-wide changes in the manifest. Autonomous invocation is allowed (default) but that is normal and not by itself a concern.
What to consider before installing
This skill appears to be an instruction-only content generator for travel-photography videos and that purpose is plausible. Before installing: (1) ask the publisher why the manifest references ~/.config/nemovideo/ and whether the skill will read files there; (2) confirm whether NEMO_TOKEN is required and will only be used to call the official NemoVideo API (ask for the service domain and privacy policy); (3) avoid storing unrelated secrets in ~/.config/nemovideo/ or entering credentials unless you trust the skill's source; (4) request that the manifest explicitly list required env vars (e.g., NEMO_TOKEN) and document what local config is read and why; and (5) because the skill's source/homepage is unknown, prefer only using it with ephemeral or limited-permission credentials until you verify the publisher.

Like a lobster shell, security has layers — review code before you run it.

latestvk970j58z3q6kkpzggqsvtt8a0x83tkv7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📸 Clawdis
Primary envNEMO_TOKEN

Comments