ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Green Screen Video Maker

v1.0.0

You filmed the product review in your home office. The background is fine but not branded. The tutorial was recorded in front of a garage wall. The interview...

0· 43·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description describe an online video processing service (NemoVideo-like) which reasonably would need an API token. However the registry listing shows 'Source: unknown' and no homepage, and the SKILL.md metadata mixes empty env list with a declared primaryEnv (NEMO_TOKEN) and a config path. These inconsistencies make it unclear whether the requested credential and config path are actually needed or trustworthy.
!
Instruction Scope
SKILL.md is high-level and instructs the user/agent to 'Upload the source footage and specify the replacement' but provides no API endpoints, upload mechanism, CLI commands, or details on where data is sent, how NEMO_TOKEN is used, or how privacy/retention is handled. That vagueness grants broad discretion to the agent and could result in videos being transmitted to an unknown external service.
Install Mechanism
No install spec and no code files are present, so nothing will be written to disk by the skill itself. This reduces surface area compared to skills that download or execute third-party binaries.
!
Credentials
The skill declares a primary credential NEMO_TOKEN and a config path (~/.config/nemovideo/) while the SKILL.md 'requires.env' array is empty and the top-level metadata showed 'Required config paths: none' — this mismatch is incoherent. Requesting a token that isn't explained in the runtime instructions is disproportionate without documentation on what the token grants, where it is sent, or why it's necessary.
Persistence & Privilege
always is false, and the skill is user-invocable with normal autonomous invocation allowed. There is no evidence the skill attempts to gain permanent system presence or modify other skills/configs.
Scan Findings in Context
[no_regex_findings] unexpected: Static scanner found no code or regex hits because this is an instruction-only skill. That absence is not evidence of safety — the SKILL.md still references uploads, a primaryEnv, and a config path without implementation details.
What to consider before installing
Before installing, ask the publisher to clarify: (1) Where exactly is video data uploaded (service domain / API endpoints)? (2) Why is NEMO_TOKEN required and what permissions does it grant? (3) What is stored in ~/.config/nemovideo/ and why is that path needed? (4) What are data retention, access, and privacy policies for uploaded videos? If you cannot get clear answers, do not provide real credentials or sensitive videos — test with throwaway footage and a scoped API key. Prefer skills with a published source, homepage, or API docs; avoid supplying global or long-lived tokens until you confirm the service and its data handling practices.

Like a lobster shell, security has layers — review code before you run it.

latestvk9730m5jnr9p08jzk0mtxdn9eh83x32j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🟢 Clawdis
Primary envNEMO_TOKEN

Comments