ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Course Promo Video

v1.0.0

You spent six months building the course. You recorded fifty hours of curriculum, wrote the workbooks, built the community, and set up the sales page. Then s...

0· 23·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description claim a promo-video generation capability which legitimately would call a video-generation API; that aspect is coherent with the skill's stated purpose.
!
Instruction Scope
SKILL.md is largely marketing and a single prompt ('Describe your course...') rather than concrete runtime instructions. It includes apiDomain: https://mega-api-dev.nemovideo.ai, implying network calls, but does not document what data is sent, whether files (audio/video) are uploaded, or how responses are handled. The instructions do not mention consent, data retention, or where generated assets are stored.
Install Mechanism
There is no install spec and no code files; being instruction-only reduces disk-write risk. No installers or downloads are requested.
!
Credentials
The SKILL.md references an external API domain but the skill declares no required environment variables, credentials, or auth method. A networked video-generation service typically requires an API key and privacy/usage guarantees; the absence of declared credentials or privacy details is disproportionate and ambiguous.
Persistence & Privilege
Flags show the skill is not 'always' enabled and has default autonomous-invocation settings. Nothing requests persistent system-level privileges or modifies other skills.
What to consider before installing
Before installing, ask the publisher for concrete runtime details: what exact API endpoints are called, whether an API key is required and how it is provided, what user/course data (and any uploaded media) will be transmitted, where generated videos are stored and how long they are retained, and the service's privacy/terms. The apiDomain uses a 'dev' subdomain (mega-api-dev.nemovideo.ai) — that suggests a non-production endpoint; avoid sending real student or sensitive data until you verify the provider and authentication. If you must test, use dummy course content only. If the publisher can't provide authentication and a clear privacy policy, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ekrb5qevrvvrzagbe72pvb1845g3a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments