ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Conference Highlight Video

v1.0.0

Conference organizers who publish professional highlight videos within 48 hours of their event see 3x higher registration rates for their next event compared...

0· 22·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match an upload-and-processing video service and the single required env var (NEMO_TOKEN) is plausible. However SKILL.md metadata lists a config path (~/.config/nemovideo/) that is not declared in the registry header, creating an inconsistency about whether the skill will access local config files.
!
Instruction Scope
The SKILL.md is marketing-style and high-level: it tells the agent to 'upload your event footage' but gives no concrete, scoped runtime instructions (which files, which endpoints, what data is sent). Vague guidance grants the agent broad discretion and could result in reading or transmitting local video files or other data without explicit limits.
Install Mechanism
Instruction-only skill with no install spec or code files — nothing is written to disk by an installer, which reduces risk.
Credentials
Only NEMO_TOKEN is required (primary credential), which is proportionate for a third-party API. But the presence of a configPaths entry inside SKILL.md (not declared elsewhere) suggests the skill might read local configuration; that should be declared and justified. Lack of a homepage or source for the Nemo service reduces ability to verify what that token grants.
Persistence & Privilege
always is false and the skill does not request persistent or elevated platform privileges. Autonomous invocation is allowed (default) but not unusual; nothing here requests system-wide changes or other skills' config.
What to consider before installing
This skill could be legitimate but it’s vague and slightly inconsistent. Before installing: (1) ask the publisher for documentation or a homepage so you can verify the NemoVideo service and what NEMO_TOKEN actually permits; (2) confirm whether the skill will read ~/.config/nemovideo/ or arbitrary local files (you should only allow access to specific folders with event footage); (3) if you must provide a token, prefer a scoped token with minimal privileges and be prepared to rotate it after testing; (4) test the skill with non-sensitive, sample video files first; and (5) avoid granting broad filesystem access or production credentials until you have concrete runtime details (API endpoints, exact file paths uploaded, data retention policy). If the publisher cannot explain the config-path discrepancy or provide documentation, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk9715fe98m5wayqht1rj3gfx65849sbs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎤 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments