ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Awareness Campaign Video

v1.1.0

Create social impact, cause marketing, and awareness campaign videos with AI — produce emotionally compelling videos for nonprofits, NGOs, social enterprises...

0· 87·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
stale
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to produce campaign videos from uploaded raw materials — that legitimately requires a remote service and an API token (NEMO_TOKEN) and may read a service config (~/.config/nemovideo/). However, there is no homepage or public project information and the registry owner is unknown, which reduces ability to verify the service's trustworthiness.
Instruction Scope
SKILL.md (instruction-only) describes uploading phone-recorded testimonials, photos, and data to produce videos. That scope is consistent with the description, but it implies transmitting potentially sensitive personal data to an external service. The file instructs use of NemoVideo's processing pipeline (upload/transform/export) — nothing in the provided metadata indicates additional unrelated file reads, but the declared config path means the skill may access files in ~/.config/nemovideo/.
Install Mechanism
No install spec and no code files — the skill is instruction-only, so nothing is written to disk by an installer. This minimizes installation risk.
!
Credentials
The skill declares a primary credential NEMO_TOKEN (needed to call an external API), but requires.env is empty — a minor inconsistency. It also requests access to ~/.config/nemovideo/, which may contain other tokens or config. Requesting a single service token is reasonable for this functionality, but because the service and owner are not public, you cannot verify the token's scope or how uploaded media will be stored/used.
Persistence & Privilege
always:false (no forced inclusion) and default autonomous invocation allowed. Autonomous invocation combined with a valid external token could let the skill upload files without a prompt if the agent runs it — this is platform-default behavior, but you should be aware of that capability given the data-sending nature of the skill.
What to consider before installing
This skill appears to do what it says (upload raw media, run AI video production, and return assets), but there are unanswered trust questions. Before installing: (1) Ask the publisher for a homepage, privacy/data-retention policy, and details about NEMO_TOKEN scope. (2) Never supply high-privilege or production credentials — create a limited test token if possible. (3) Review the contents of ~/.config/nemovideo/ to ensure it contains only service-specific config you expect. (4) Test with non-sensitive, dummy media first to see what data is sent and returned. (5) If you need strict data control (PII, sensitive testimonies), consider keeping processing local or using a vetted vendor; do not rely on an unknown service for sensitive uploads. (6) If you prefer tighter safety, disable autonomous invocation or require explicit confirmation before the agent uses the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk979yj8fkjtf3cnbzkn0kjf14583sgz5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📢 Clawdis
Primary envNEMO_TOKEN

Comments