ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Soft Wash Marketing Video — AI Promotional Videos for Soft Washing and Exterior House Cleaning Services

v1.0.0

The homeowner staring at black streaks on their roof and green algae on their siding does not know the difference between pressure washing and soft washing —...

0· 36·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (generate promotional/educational videos) reasonably explains needing an API token to call an external video-generation service. However, the SKILL.md body does not show how the token or the referenced apiDomain are used, and the apiDomain value ('https://mega-api-dev.nemovideo.ai') looks like a development/staging host rather than an official production endpoint. The metadata also declares a config path (~/.config/nemovideo/) which is not referenced in the instructions — this is an unclear mismatch.
Instruction Scope
The SKILL.md runtime instructions are very short and high-level (ask the user to describe service area/surfaces/objections). They do not explicitly direct network calls or how to transmit data to the external API, nor do they instruct reading local files. The vagueness grants the agent broad discretion (open-ended 'creates professional content' without concrete steps), which increases risk because behavior is not tightly scoped.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written to disk by an installer. That is a low-risk installation footprint.
Credentials
Only one environment variable is required (NEMO_TOKEN), which is proportionate if the skill calls a third-party video API. However, the declared config path (~/.config/nemovideo/) suggests the skill may read local configuration files in addition to the env var; the SKILL.md does not justify or describe that access. Also the apiDomain points to a development-sounding host rather than an official public domain, which raises questions about where a provided token would be sent.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. Model invocation is allowed by default (normal). There is no indication it will modify other skills or agent-wide settings.
What to consider before installing
This skill could be legitimate, but there are unexplained mismatches you should resolve before providing credentials. Ask the publisher: (1) Which endpoint will receive NEMO_TOKEN and why is the apiDomain a 'mega-api-dev' host? (2) Does the skill read files under ~/.config/nemovideo/ and what data is stored there? (3) Is there a privacy/terms page or official homepage and who operates the service? If you decide to test it, use a scoped or temporary token with minimal privileges, avoid reusing sensitive credentials, and monitor network traffic or logs (if possible) to confirm the token is only used for the stated video-generation purpose. If you cannot verify the operator or endpoint, treat the token as sensitive and do not install the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk977q119wv210ex14e8r313fxn83yjhw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏠 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments