ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dental Office Video

v1.0.0

Most people who need a dentist and don't have one are not avoiding dental care because they can't afford it or don't understand its importance. They're avoid...

0· 28·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to produce dental practice videos and the SKILL.md requests a NEMO_TOKEN (presumably to call an external video service). That credential is coherent with the described purpose. However, the registry-level metadata provided to you earlier lists no required env vars or primary credential, which conflicts with the SKILL.md's openclaw.requires and primaryEnv entries.
Instruction Scope
The runtime instructions are limited to describing video types, example prompts, and a short setup line instructing where to put the NemoVideo token (~/.config/nemovideo/token.txt or NEMO_TOKEN). The instructions do not ask the agent to read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is no install-time download or code execution risk from packaging or installers.
!
Credentials
Requesting a single NEMO_TOKEN is proportional to calling an external video-generation API. The concern is twofold: (1) the registry metadata shown to you does not list this required credential while the SKILL.md does, which is an incoherence that should be resolved before trusting the skill; (2) the SKILL.md suggests storing the token in a plain-text file under the user's home config directory, which may be accessible to other processes or users if file permissions are not set correctly.
Persistence & Privilege
The skill is not marked always: true and does not request persistent or elevated presence. Allowing the model to invoke the skill autonomously is the platform default and not in itself a concern here.
What to consider before installing
Before installing: (1) ask the publisher to clarify the mismatch between the registry metadata and SKILL.md (confirm that NEMO_TOKEN is required and why it wasn't listed at registry-level); (2) verify the legitimacy and privacy policy of the NemoVideo service and whether it is appropriate to send any patient-identifying data (videos of patients or clinical information may be PHI and require HIPAA/consent safeguards); (3) avoid placing tokens in world-readable plain-text files — prefer setting NEMO_TOKEN as an environment variable or ensure the token file is created with restrictive file permissions; (4) limit the token's permissions and rotate it if possible; and (5) if you need higher assurance, request the skill author to publish explicit registry metadata (required env vars, homepage, and contact) or provide source code so you can confirm exactly what network endpoints and data the skill will use.

Like a lobster shell, security has layers — review code before you run it.

latestvk971c0c9gtt428wqtn24fsmpsd84dyqg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments