ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Property Management Video

v1.0.0

Property management video that fills vacancies faster, reduces tenant turnover, and makes every rental property look like the place a prospective renter has...

0· 33·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (property marketing videos) matches the instructions, which call NemoVideo APIs, upload photos, create sessions, and export MP4s — that capability needs an API token and network access, so the high-level purpose and capability are coherent.
Instruction Scope
SKILL.md explicitly instructs the agent to read/write ~/.config/nemovideo/, POST to nemo API endpoints, upload images, and stream renders via SSE. Those actions are within scope for a cloud video service, but the skill also auto-acquires an anonymous token silently and will send user photos to an external endpoint — users should expect data upload and external processing.
Install Mechanism
No install spec (instruction-only) so nothing is written to disk by an installer. This is the lower-risk category. However the runtime instructions assume presence of curl, python3, uuidgen, mkdir — these binaries are not declared in the registry metadata, which is an operational mismatch.
Credentials
The skill declares a single primary credential NEMO_TOKEN which is appropriate for an external API. However registry metadata lists NEMO_TOKEN as required while the SKILL.md treats it as optional and will silently obtain an anonymous token if unset — this inconsistency could affect user expectations about authentication and account/billing. The requested env vars are otherwise proportionate.
Persistence & Privilege
always:false and the skill only writes/reads its own config path (~/.config/nemovideo/). It does not request system-wide privileges or modify other skills. Autonomous invocation is allowed (platform default) but not a separate red flag here.
What to consider before installing
Before installing: (1) Confirm you trust the NemoVideo domain (https://mega-api-prod.nemovideo.ai / https://nemovideo.com) because the skill will upload property photos and make network requests. (2) Decide whether you want the skill to auto-generate an anonymous NEMO_TOKEN (SKILL.md auto-acquires one) or supply your own token — registry metadata and SKILL.md disagree about whether NEMO_TOKEN is required. (3) Be aware the instructions assume curl, python3, and uuidgen are available; update metadata or ensure those binaries exist. (4) The skill will create ~/.config/nemovideo/client_id — check that you’re comfortable with a persistent client_id and with images leaving your machine. (5) If you need stricter control, ask the author for a privacy/data-retention policy and an explicit manifest that declares required binaries and explains authentication/billing. The source/owner is unknown — prefer a known publisher or request more provenance before granting access to sensitive photos or tokens.

Like a lobster shell, security has layers — review code before you run it.

latestvk97csbwcycs9e4wkhmck6s7p1h8448pv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏘️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments