ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ballet School Video

v1.0.0

A parent putting a five-year-old in ballet for the first time is not looking for a professional training program. They are looking for a teacher who will mak...

0· 55·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The textual purpose is content and video marketing guidance for ballet schools and does not by itself require any API credentials. However the SKILL.md metadata declares openclaw.requires: ["NEMO_TOKEN"] and openclaw.primaryEnv: NEMO_TOKEN, which is not justified by the described functionality and is inconsistent with the registry's earlier 'required env vars: none'.
Instruction Scope
The SKILL.md is instruction-only and primarily asks for school details and prompts to generate video scripts and related content. There are no explicit runtime instructions to read local files or transmit data elsewhere in the visible content, but the embedded metadata signals the agent expects a NEMO_TOKEN without describing how or why it will be used.
Install Mechanism
No install spec and no code files are present, so nothing is written to disk or installed. This lowers surface risk compared with downloadable installs.
!
Credentials
Requiring a single env var named NEMO_TOKEN (as primary credential) is disproportionate and unexplained for a content-generation/marketing skill. The env var name implies a secret; the SKILL.md provides no description of the service that token would authenticate or why it is needed.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. Model invocation is enabled (normal), and there is no evidence it modifies other skills or agent-wide settings.
What to consider before installing
This skill appears to be a benign instruction set for creating ballet-school marketing content, but it declares a required secret (NEMO_TOKEN) in its SKILL.md header with no explanation. Before installing or providing any token: 1) Ask the publisher what NEMO_TOKEN is, which external service it authenticates, and why the skill needs it. 2) If they need a third‑party API, verify the endpoint and privacy policy; prefer creating a dedicated, limited-scope token in a throwaway/test account rather than using any sensitive production credential. 3) If you cannot verify those details, avoid supplying secrets — you can still use the skill manually by copying its instructions into a session without granting environment access. 4) Consider requesting the publisher remove the env requirement or document exactly how the token is used.

Like a lobster shell, security has layers — review code before you run it.

latestvk978t3bq13psw6aahffrh2qyxh84btqd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments