ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Beauty Brand Video

v1.0.0

A beauty founder has spent eighteen months developing a serum — sourced the actives, ran stability testing, found a clean-label manufacturer, built the brand...

0· 11·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description claim an automated video/content-creation capability. The skill is instruction-only and declares an apiDomain (https://mega-api-dev.nemovideo.ai) in the header, which implies using an external service to produce videos. However, no environment variables, credentials, or concrete API usage examples are declared — an odd omission if the skill actually depends on an external rendering service. The lack of homepage, source, or author details increases uncertainty.
Instruction Scope
SKILL.md is largely marketing copy and high-level 'how it works' prose rather than precise runtime instructions. It does not explicitly tell the agent to call the apiDomain or what data to send, nor does it instruct reading system files or credentials. Because the instructions are vague and open-ended, the agent could reasonably take broad actions (e.g., asking the user for product assets or sending those assets to external services) — this grants wide discretionary power without clear limits.
Install Mechanism
There is no install spec and no code files; this is instruction-only. That minimizes on-disk installation risk and there are no packaged third-party installs to review.
!
Credentials
Declared requirements show no env vars or credentials, yet the SKILL.md includes an apiDomain pointing to a 'mega-api-dev.nemovideo.ai' host (a development-sounding domain). If the skill is intended to call that API, credentials or at least a privacy/usage explanation would be expected. As presented, there's a mismatch: an external endpoint exists but no declared auth or data-handling rules, which could allow undisclosed transmission of user-supplied assets or metadata.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always is false, user-invocable). It does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed by platform default; that alone is not flagged.
What to consider before installing
This skill is plausible for making marketing videos, but it is ambiguous and has some red flags: 1) SKILL.md references an external API at mega-api-dev.nemovideo.ai (a dev-sounding host) but declares no credentials or privacy details — ask the author how data (images, scripts, product info) are transmitted and stored. 2) There is no homepage, source repo, or publisher information — prefer skills with clear provenance and documentation. 3) Because instructions are high-level, ask for explicit runtime steps: what endpoints will be called, whether authentication is needed, what data will be uploaded, retention policy, and how to revoke access. Until you get those answers, avoid sending sensitive assets, API keys, or proprietary formula details to the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk978cgestea6netrn4mb2wzzh9848zqd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments