ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Veterinary Clinic Video

v1.0.0

A family moves to a new neighborhood with a three-year-old golden retriever and a cat who has kidney disease. They search "veterinarian near me" and get twel...

0· 53·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description promises automated creation and exports of marketing videos (including uploads to Google Business Profile, Facebook, Instagram, etc.) but the skill declares no required credentials, APIs, or steps to perform those uploads. The YAML header includes apiDomain: https://mega-api-dev.nemovideo.ai which implies a remote service will be contacted, but the skill provides no explanation of what that service does, what inputs it expects, or what credentials (if any) it needs. This mismatch between claimed capabilities and declared requirements is a coherence concern.
Instruction Scope
SKILL.md is mostly high-level marketing/copywriting guidance (what the video should convey) rather than concrete runtime instructions. It does not instruct the agent to read local files, environment variables, or credentials, which limits immediate risk, but it is vague and grants broad discretion about where/how to obtain or send media or client data. Vague, open-ended instructions can lead an agent to collect context from unexpected sources unless further constrained.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk and no packages are fetched by the skill itself.
Credentials
The skill requires no environment variables or credentials. However, the stated capability to export content to third‑party platforms normally requires platform credentials (Google Business Profile, Facebook, Instagram, etc.). The absence of any declared credential requirements is inconsistent with the export claims and should be clarified by the publisher.
Persistence & Privilege
The skill does not request always:true, does not install anything, and is not asking to modify agent-wide settings. Autonomous invocation is allowed by default but is not combined with other high-risk flags here.
What to consider before installing
This skill is mostly marketing copy and lacks concrete operational details. Before installing or using it, ask the publisher for: (1) explicit runtime behavior — does the agent call https://mega-api-dev.nemovideo.ai or any other service? (2) what inputs/outputs the remote API expects and whether any credentials will be requested or stored; (3) privacy and data retention policies for any uploaded media (client/patient information could be sensitive); and (4) instructions for exporting to Google Business Profile, Facebook, and Instagram (these normally require OAuth/API keys). Because the skill claims platform uploads but declares no credentials, treat it as ambiguous — avoid providing real client data or service credentials until you have clear documentation and a trustworthy endpoint. If you plan to test, use dummy content and verify the apiDomain is legitimate (DNS, TLS certs, and an official vendor page) before sending real media or patient information.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ab7x2d3a6v4219mbn3qpjwh8489bc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments