ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Birthday Party Planner Video — AI Marketing Videos for Birthday Party Planning Services

v1.0.0

Most birthday party planners lose the booking before the first phone call — not because the pricing is wrong, but because the parent couldn't picture what th...

0· 38·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to produce short promotional videos from event photos/footage — that could legitimately require an external video service. However, the skill metadata declares a primary credential NEMO_TOKEN and a config path (~/.config/nemovideo/) while the SKILL.md does not mention any external service, API calls, or the need for that token/config. The required credential/config is unexplained relative to the stated purpose.
!
Instruction Scope
SKILL.md is high-level marketing copy and usage guidance; it contains no runtime instructions that reference environment variables, config files, upload endpoints, or network calls. Because metadata suggests a secret and a config path will be used at runtime but the instructions don't show how, the instruction scope is inconsistent and opaque.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk during installation. That minimizes install-time risk.
!
Credentials
The skill declares a single primary credential (NEMO_TOKEN) and a config path into the user's home directory. A single token could be reasonable for a third‑party video service, but the SKILL.md offers no justification for what NEMO_TOKEN grants (upload, billing, account access) or why a local config path is needed. Access to user config/home paths can expose more data than expected (saved sessions, recent files).
Persistence & Privilege
The skill does not request always:true and has no special OS or installation privileges. It is user-invocable and can be called autonomously by the agent (default behavior), which is normal and not by itself a red flag.
What to consider before installing
Before installing or enabling this skill: 1) Ask the maintainer what NEMO_TOKEN is, which service 'Nemo' refers to, and exactly what permissions that token grants (upload, read, billing, account admin). 2) Confirm whether the skill uploads photos/videos to an external service, how long media are retained, and whether media are shared publicly. 3) Ask why the skill needs access to ~/.config/nemovideo/ and what files it will read or write. 4) If you must provide a token, create a scoped/testing account or token with minimal permissions and no payment method. 5) Prefer to test with non-sensitive sample media. 6) If the owner cannot answer these questions or the token grants broad access, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk975ds6nwc1acb03tewzwkb36d83xb0q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎂 Clawdis
Primary envNEMO_TOKEN

Comments