ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hvac Company Video

v1.0.0

AI video creation for HVAC company marketing — generate seasonal maintenance campaign videos, emergency repair service ads, equipment installation showcases,...

0· 52·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description claim a content-generation/video-production capability for HVAC marketing. The skill is instruction-only with no binaries, installs, or required env vars — this is a plausible, coherent footprint for a tool that drafts scripts/storyboards, shot lists, and video templates for manual rendering or for use with third-party video generators.
!
Instruction Scope
The excerpted SKILL.md asks users to 'describe the service, the season, the zip code, and the offer' and promises 'publish-ready' assets and platform-targeted creatives (Google Business Profile, Nextdoor, Facebook, Instagram, YouTube, TikTok, etc.). Because the full SKILL.md was truncated in the provided data, it's unknown whether runtime instructions attempt to: (a) call external APIs, (b) instruct the agent to collect extra system context (files, environment variables), or (c) solicit/prompt users for credentials to post content. Any of those would be scope creep relative to a pure content-generation skill and should be flagged. Verify the full SKILL.md for explicit publishing steps, network endpoints, or instructions that ask the agent to access local files or credentials.
Install Mechanism
No install spec and no code files are present. Instruction-only skills have a smaller disk/execution surface; nothing will be downloaded or written by an install step. This is proportionate for a content-generation helper.
!
Credentials
The registry metadata lists no required env vars or primary credential. However, the skill description repeatedly references producing assets for many external platforms. If the SKILL.md (in full) includes instructions to publish or integrate with platform APIs, the absence of declared environment variables (API keys/tokens) is an inconsistency. Confirm whether the skill expects the user to manually provide credentials at runtime, or whether it performs any automated posting — if it does, the skill should declare which credentials it will need.
Persistence & Privilege
The skill does not request always:true and is user-invocable. It does not appear to request system-wide config changes or to persist credentials. Autonomous invocation is allowed (the platform default) but not, by itself, a red flag here.
What to consider before installing
Before installing or enabling this skill: 1) Read the entire SKILL.md (not just the excerpt). Search it for verbs and patterns that indicate network/publishing activity (POST, curl, fetch, api., oauth, token, key, client_id, upload, s3, googleapis, facebook, nextdoor, youtube). 2) If the skill includes automatic publishing steps, ensure it lists exactly what environment variables or credential input it requires — do not provide high-privilege or primary account credentials; prefer a limited-scope service account. 3) If the skill asks you to paste credentials into chat or into prompts, treat that as a red flag; prefer manual export/upload workflows. 4) Review how generated videos are returned and where they are stored; verify whether files are uploaded to third-party storage or retained by the agent. 5) Test with non-sensitive dummy data (fake addresses/offers) before using real customer information or publishing publicly. 6) If you want a safer posture and the SKILL.md includes publishing instructions, ask the publisher to separate content generation (no credentials needed) from publishing integrations (explicit, declared env vars and install steps). Note: confidence is medium because the SKILL.md provided here was truncated — full-file review could change the assessment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97awjd72wxvtersg8bdr9vbwh84ctav

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments