Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Fitness App Promo Video
v1.0.0A woman downloads her fourth fitness app of the year. The first three had the same problem: too many workouts, no clear starting point, a streak system that...
⭐ 0· 23·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description match: the skill claims to produce fitness-app promo videos and walkthroughs. However, the SKILL.md header includes apiDomain: https://mega-api-dev.nemovideo.ai (a development-sounding external endpoint) while the skill declares no required credentials or other dependencies. If the skill calls a remote video-generation API, that should be documented (API keys, data flows, pricing). The presence of an unknown dev API endpoint without explanation is an unexplained detail but could be legitimate (public endpoint or demo).
Instruction Scope
The provided SKILL.md text is primarily marketing and usage description; the excerpt doesn't show low-level instructions, but the header's apiDomain implies runtime network calls. There are no explicit instructions in the visible content to read unrelated system files or to exfiltrate secrets. Missing from the SKILL.md (or at least the provided excerpt) are clear runtime steps: what data the agent will collect from the user, what it will upload to the API, and what the API returns. That ambiguity increases risk because user media (app screenshots, screen recordings, private assets) could be transmitted to the external endpoint.
Install Mechanism
No install spec and no code files — this is an instruction-only skill, which minimizes filesystem risk. Nothing will be written to disk by an installer per the metadata.
Credentials
The skill declares no required environment variables or credentials, which would be appropriate for a fully public demo API. But because the SKILL.md references an external apiDomain (a private/dev-looking host), it's unclear whether an API key or other credential is actually required at runtime. The lack of declared env vars while calling an external service is an inconsistency that should be clarified. Also consider that the service would likely receive user-provided media and metadata; no privacy/data-retention details are provided.
Persistence & Privilege
Flags show always:false and default invocation settings; the skill does not request persistent or elevated platform privileges and does not indicate changes to other skills or global config.
What to consider before installing
This skill appears to do what it says (make promo videos) but raises two practical concerns you should resolve before installing or using it:
1) Ask the publisher for technical documentation: does the skill call https://mega-api-dev.nemovideo.ai at runtime? Is that a production or demo endpoint? Will you need an API key or account? If so, where should that credential be stored and what scope/permissions does it have?
2) Confirm data handling and privacy: what exactly will be uploaded (screenshots, screen recordings, app data, user PII)? Where is media stored, for how long, who can access it, and is it deleted after processing? Request a privacy/data-retention policy and sample output before sending proprietary assets.
Additional precautions:
- Do not provide production credentials, OAuth tokens, or app signing keys to the skill.
- If you must test, prefer non-sensitive demo assets and short-lived test accounts.
- Try to obtain a homepage/owner contact, production API endpoint, and example videos to validate quality and trustworthiness.
Because the source and endpoint are unknown and the SKILL.md is ambiguous about runtime network calls and data flow, treat the skill as potentially exfiltrating user media until you confirm the above details.Like a lobster shell, security has layers — review code before you run it.
latestvk97f30reahhnwevenqzb6rrvss848spp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.