ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Learning Center Video — Marketing and Enrollment Videos for Tutoring Centers, Learning Centers, and Academic Support Programs

v1.0.0

Your learning center is getting the results. The student who came in reading two grade levels behind is now reading above grade level. The kid who failed thr...

0· 31·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is an instruction-only marketing/video creation helper — requesting a NEMO_TOKEN and a config path (~/.config/nemovideo/) is coherent if it uploads/exports video content to a 'Nemo' service. However the package has no homepage or source and registry metadata inconsistently shows 'Required env vars: none' while a primaryEnv (NEMO_TOKEN) and a configPath are declared in SKILL.md metadata; that provenance gap is a concern.
!
Instruction Scope
SKILL.md itself is largely copywriting and user-facing prompts (describe center, provide stories, tutor bios, etc.) and does not include commands to read arbitrary system files. Still, it asks for student success stories and other materials that will likely include personally identifiable and educational data (grades, student names) without any instructions about consent or data handling — this increases privacy risk and scope creep if the agent is later instructed to upload or share that content.
Install Mechanism
No install spec and no code files — lowest-risk delivery mechanism. Nothing is downloaded or written by the skill itself according to the manifest.
!
Credentials
A single primary credential (NEMO_TOKEN) and a config path are consistent for a video-export integration, but the registry entry shows 'Required env vars: none' while the SKILL.md metadata lists primaryEnv and configPaths — this inconsistency should be resolved. Also, requesting a token that could allow uploads combined with handling of student PII is a sensitive combination; the skill gives no guidance about token scope or data minimization.
Persistence & Privilege
always: false and no install means the skill does not demand permanent presence or system-wide changes. The skill can be invoked by the agent (default), which is normal; this only becomes higher-risk if combined with broad credentials or unknown provenance (both present here).
What to consider before installing
Before installing, verify the skill's provenance and what 'NEMO_TOKEN' actually grants: ask the publisher for a homepage, privacy policy, and documentation for the Nemo integration. Confirm whether the token can be scoped to only upload specific assets and whether it can be revoked. Be cautious about uploading or entering real student PII (names, grades, parent contact info) — ensure you have parental consent and prefer redacted or anonymized example data for tests. Resolve the metadata inconsistency (registry says no required env but SKILL.md lists a primaryEnv and configPath). If you proceed, create a limited-scope/test token and try with placeholder content first. If you need stronger assurance, ask the publisher for the exact API endpoints the skill will call and for a public source or package repository you can inspect.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fbd6gtk63wccy7hac85yzhn840xfe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📚 Clawdis
Primary envNEMO_TOKEN

Comments