ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pottery Studio Promo Video

v1.0.0

Pottery studios and ceramic arts schools that publish atmospheric video content of the throwing and glazing process fill their classes 4x faster than studios...

0· 53·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description claim the skill creates promotional videos, which plausibly could require access to a video service token (NEMO_TOKEN). However, the skill requests a config path (~/.config/nemovideo/) in its metadata even though the SKILL.md does not explain or show why that path is needed.
!
Instruction Scope
SKILL.md is purely high-level marketing and use-case text; it contains no concrete runtime instructions, API endpoints, commands, or data flows. It does not show how NEMO_TOKEN or the listed config path are used. Because the runtime behavior is unspecified, it's unclear what data would be read, transmitted, or stored.
Install Mechanism
No install spec and no code files are present, so nothing would be written to disk by an installer. This is lower risk, but also means the skill currently provides no executable integration steps.
Credentials
Only one credential (NEMO_TOKEN) is required, which is plausible for a third-party video API. However, the declared config path suggests access to user config files; SKILL.md gives no justification for needing that path or what would be read from it.
Persistence & Privilege
The skill does not request always: true and has default autonomy settings. It does not declare modifications to other skills or system-wide settings.
What to consider before installing
This skill's metadata asks for an API token (NEMO_TOKEN) and a Nemo config path, but the runtime instructions are missing — there are no concrete steps showing how the token or config would be used. Before installing, ask the publisher for: (1) a clear README or SKILL.md that explains exact runtime behavior (API endpoints called, data sent, and what is read from ~/.config/nemovideo/), (2) the minimal required token scope and whether you can use a restricted/test token, and (3) an official homepage or source repository you can review. If you must try it, avoid supplying high-privilege or production credentials until you can confirm the integration's exact behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk973t2n892bg0pfczv8f2sa9vs849pqv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏺 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments