ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Comparison Video Maker

v1.0.2

Create clear product comparison and versus videos with AI-powered analytical content production.

0· 56·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (create comparison videos) aligns with needing an API token for a third‑party video generation service (NEMO_TOKEN). However the registry metadata lists no required env vars while the SKILL.md declares primaryEnv: NEMO_TOKEN and a config path (~/.config/nemovideo/). That mismatch is incoherent: a consumer would reasonably expect the token requirement to be declared in the registry.
Instruction Scope
SKILL.md contains only high-level workflow and a simple curl example to the provider's API. It does not instruct the agent to read unrelated system files or exfiltrate data. Still, the metadata block in SKILL.md references a config path (~/.config/nemovideo/) that the registry summary omitted; the instructions do not clarify how that path is used, which expands scope ambiguity.
Install Mechanism
No install spec or code files are present (instruction-only). That minimizes risk from arbitrary code downloads or local installs.
!
Credentials
Requiring a service token (NEMO_TOKEN) is reasonable for an API-based video generator. The concern is the metadata inconsistency: the registry reported 'Required env vars: none' while SKILL.md declares primaryEnv: NEMO_TOKEN and a config path. Declaring a config directory can expose stored credentials or config files; the skill should clearly document exactly what env variables and config files it will use.
Persistence & Privilege
The skill does not request 'always: true' and has no install behavior or system-wide changes described. Autonomous invocation is allowed (default) but not combined with other high privileges.
What to consider before installing
This skill looks like a legitimate integration with NemoVideo but the package metadata is inconsistent: the registry claims no required env vars while the SKILL.md names a primary token (NEMO_TOKEN) and a config path. Before installing, verify the following: 1) Confirm the correct API domain/endpoint (SKILL.md shows two slightly different domains) and that the homepage/repository are legitimate. 2) Prefer creating a dedicated, scoped API token for this skill (so it has minimal privileges). 3) Inspect the ~/.config/nemovideo/ directory (if present) to understand what will be read or stored there. 4) Ask the publisher to fix registry metadata so required env vars and config paths are explicit. If you cannot validate those items, avoid supplying high-privilege credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ak4n7h6vqmvvwy7jrnrdfh583txav

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments