ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Backpacking Video Maker

v1.0.1

Create inspiring backpacking adventure videos covering routes, gear, and tips with AI.

0· 70·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the instructions: the SKILL.md shows the agent should call NemoVideo's API to generate videos. That capability reasonably requires an API token and possibly a local config for tokens. However, the registry metadata and the front-matter in SKILL.md disagree about what is required (see environment_proportionality), so the declared purpose is mostly coherent but metadata inconsistencies reduce trust.
!
Instruction Scope
The SKILL.md includes a clear curl example that sends requests to https://api.nemovideo.ai with an Authorization bearer token — this is within scope. However, the front-matter metadata lists a config path (~/.config/nemovideo/) and a primaryEnv (NEMO_TOKEN) while the rest of the instructions do not explain how or when that config path will be read. That creates ambiguity: the skill may (or the platform may) read a user config directory that the prose never mentions.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is low-risk from an installation perspective because nothing is downloaded or written by the skill itself.
!
Credentials
Registry metadata provided to you earlier lists no required env vars, but the SKILL.md front-matter declares primaryEnv: NEMO_TOKEN and configPaths: ['~/.config/nemovideo/']. The curl example demonstrates the need for a bearer token. The inconsistency (missing required env listing) is concerning because it obscures what secrets the skill will need or access. Also, the config path could contain other credentials/config that a platform integration might read; the skill does not justify or document this access.
Persistence & Privilege
always is false and there is no install or persistent background agent component. The skill can be invoked autonomously by the model (platform default), which is normal; there is no elevated or permanent presence requested.
What to consider before installing
This skill appears to be a straightforward wrapper around NemoVideo's API, but there are unexplained metadata inconsistencies you should resolve before installing. Specifically: (1) Confirm whether the skill requires an API token (NEMO_TOKEN). If so, the registry should list it as a required env var and explain how tokens are stored/used. (2) Ask the maintainer why ~/.config/nemovideo/ is listed as a required config path and what files will be read; ensure the platform won't send unrelated secrets from that directory. (3) Prefer creating a limited-scope or expendable API token for testing rather than using a high-privilege credential. (4) Verify the source repository (https://github.com/nemovideo/nemovideo_skills) and the vendor (nemovideo.com) for trustworthy implementation details and a documented privacy policy. If you can't get clear answers about the token and config path behavior, consider the skill suspicious and avoid provisioning real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fce0njjqrf5e8ctwjm1mcc983r6xt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments