ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Comic Art Video

v1.0.0

Your comic art has a portfolio that took years to build. Character animation, motion graphics, explainer films, title sequences, brand spots, short films — y...

0· 53·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description describe a studio promotional video generator; that purpose plausibly requires an external rendering/generation service. However the skill's metadata lacks a source or homepage and the declared apiDomain (mega-api-dev.nemovideo.ai) is an untrusted host with no explanation, which reduces confidence in provenance.
!
Instruction Scope
This is an instruction-only skill whose SKILL.md references an external API domain. Although the full instructions were truncated, the file strongly suggests the agent will send portfolio media/metadata to the external API to produce videos. There is no documentation in the metadata about what data is sent, how it's protected, or whether the user must consent — creating a risk of unintended exfiltration of creative assets or client data.
Install Mechanism
No install step and no code files are present (instruction-only). That minimizes on-disk execution risk; nothing is downloaded or installed by the skill itself.
Credentials
The skill declares no required environment variables or credentials. That could be fine if the external API is public, but it's ambiguous: either the API accepts unauthenticated requests (raising abuse/abuse-responsibility questions) or credentials are expected but not declared. The lack of a declared credential, plus an unknown apiDomain and no privacy/usage guidance, is disproportionate to what an author-audience should expect when sending IP to a third-party service.
Persistence & Privilege
The skill is not forced-always, is user-invocable, and does not request system-level config or modify other skills. It does not request persistent privileges in the provided metadata.
What to consider before installing
This skill appears to be an instruction-only connector that will send portfolio assets to an external service (mega-api-dev.nemovideo.ai) to create promotional videos. Before installing or using it: (1) ask the publisher for a homepage, privacy/security policy, and contact for the API host; (2) confirm what exact data and media will be transmitted, how it is stored, retention period, and whether you can request deletion; (3) avoid uploading unreleased or sensitive IP until you have contractual assurances; (4) test with non-sensitive sample assets first; (5) verify whether authentication is required and, if so, how credentials are handled — the skill metadata currently declares none. If the publisher can't provide clear answers, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk976z1knyxy33x2pg1ejvp2rsx84fr5v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments