Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Summer Camp Marketing — Video Marketing Tools for Summer Camps, Day Camps, Overnight Camps, and Youth Program Enrollment
v1.0.0What's the fastest way to fill your summer camp before February? It's not the email blast to last year's families. It's not the flyer in the elementary schoo...
⭐ 0· 28·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (video marketing for camps) align with the SKILL.md content: it asks for camp details and footage and promises video outputs for platforms. Requesting a service token for a video platform (NEMO_TOKEN) could be reasonable, but the top-level metadata lists no required env vars while also declaring primaryEnv=NEMO_TOKEN and a config path (~/.config/nemovideo/) — that inconsistency is unexpected and unexplained.
Instruction Scope
The SKILL.md only asks the user to describe camp details and provide footage/testimonials and describes outputs; it does not instruct the agent to read environment variables, the ~/.config/nemovideo/ path, or to upload data to any endpoint. Because the metadata references a token and config path but the runtime instructions do not, the skill's operational scope is unclear.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which is the lowest-risk install profile. Nothing would be written to disk by an installer because none is provided.
Credentials
The skill declares a primary credential name (NEMO_TOKEN) and a config path (~/.config/nemovideo/), but the declared required env list is empty and the SKILL.md never explains why the token or config are needed. Requesting credentials or config access is proportionate for a video-processing/integration service only when documented; here the lack of explanation is a red flag. Also, the skill will likely handle sensitive user-supplied footage of minors — any credential/access requested should be justified and limited.
Persistence & Privilege
The skill does not request always: true and is user-invocable only. It does not ask to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with other high-risk indicators here.
What to consider before installing
Before installing or providing data, ask the skill author/vendor: (1) Do you actually require NEMO_TOKEN? If so, why and what exact API endpoints and scopes will that token grant? (2) Why is ~/.config/nemovideo/ referenced and what data in that path is read or written? (3) Where will uploaded footage be stored, for how long, and who can access it? (4) Supply a homepage, privacy policy, and documentation (service provider identity, TLS endpoints, data deletion procedure). Don't provide tokens or identifiable footage of children until you receive clear answers and a data-processing agreement; prefer short-lived tokens or limited scopes, test with non-identifiable sample footage first, and consider redacting faces or blurring sensitive details until vendor provenance is confirmed.Like a lobster shell, security has layers — review code before you run it.
latestvk975a17wc5rqsxzf4cmwmhmtqs841de3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⛺ Clawdis
Primary envNEMO_TOKEN