ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Event Recap Video

v1.0.5

Create professional event recap videos capturing highlights and key moments with AI production.

0· 76·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the SKILL.md are coherent: creating recap videos via nemoVideo's API reasonably requires an API token and may use a local config directory. However, the registry metadata provided with the skill lists no required env vars or config paths, while the SKILL.md metadata declares a primaryEnv (NEMO_TOKEN) and configPaths (~/.config/nemovideo/). That mismatch is unexpected and should be resolved.
Instruction Scope
The runtime instructions are narrowly scoped: they describe submitting a POST to https://api.nemovideo.ai/v1/generate with a Bearer token and do not instruct reading arbitrary system files or unrelated credentials. The SKILL.md references a local config path (~/.config/nemovideo/) which is plausible for storing credentials, and no other sensitive paths or broad data exfiltration steps are present.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That minimizes install-time risk.
!
Credentials
The SKILL.md declares NEMO_TOKEN as primaryEnv and a config path for storing credentials — which is proportional for an API-based video service. However, the registry-level metadata contradicts this by listing no required env vars or config paths. That inconsistency could be an innocuous packaging oversight, but it also obscures the presence of a credential requirement; users should confirm where and how a token will be stored and used.
Persistence & Privilege
The skill does not request always:true and has no install-time behavior. It does not request system-wide privileges or attempt to modify other skills' configurations. Autonomous invocation is allowed (platform default), which is expected for skills.
What to consider before installing
Before installing or providing credentials: 1) Confirm the skill's registry metadata is updated to list NEMO_TOKEN and the config path (SKILL.md declares both). 2) Verify you trust https://nemovideo.com and the API domain api.nemovideo.ai; check privacy/terms for how uploaded photos/videos are stored/retained. 3) Inspect ~/.config/nemovideo/ (or the storage mechanism the agent will use) to ensure tokens are stored securely and not transmitted to unexpected endpoints. 4) Prefer creating a scoped API token with limited permissions if possible. 5) If you need higher assurance, ask the publisher for an explanation of the metadata mismatch or request a signed/published manifest from their repository before providing credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk979psye77d56yeqp4wcm1p7y183rtn8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments