ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Public Health Campaign Video

v1.0.0

The vaccination rate in the county is 40% below target. The health department has published fact sheets, run a radio ad, and sent mailers to every household...

0· 22·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and use cases are coherent: a tool to produce public-health outreach videos. There are no declared binaries, env vars, or config paths that are unrelated to this purpose.
Instruction Scope
SKILL.md is primarily marketing and high-level guidance ("Describe the health campaign..."). It contains no concrete runtime steps, no file paths, and no declared data flows. That vagueness grants the agent broad discretion at runtime (e.g., what external data to fetch or what user context to collect), which is a potential scope/privilege risk if the agent is allowed to act autonomously.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing will be written to disk by an installer. This is the lowest-risk install model.
!
Credentials
The SKILL.md header includes apiDomain: https://mega-api-dev.nemovideo.ai, but the skill declares no required credentials or environment variables and provides no explanation of how that API is used. An external API domain in metadata without documented, proportional credential requirements or a privacy/usage description is an unresolved risk: the agent might call that endpoint or send user-provided campaign materials there without the user being aware of what data is transmitted or whether authentication is required.
Persistence & Privilege
always:false and no install actions; the skill does not request permanent presence or system-level config changes. Model invocation is not disabled (default), which is normal—just be mindful given the other noted concerns.
What to consider before installing
This skill appears to be marketing + high-level guidance for making public-health outreach videos, but it lacks concrete runtime instructions and includes an unexplained external API domain. Before installing: 1) Ask the publisher what apiDomain (https://mega-api-dev.nemovideo.ai) is used for, what endpoints the skill will call, whether any user data or media will be uploaded, and what authentication and privacy protections are in place. 2) Confirm that no credentials or sensitive patient data will be transmitted to third parties. 3) Request a clear SKILL.md runtime flow: what inputs the agent will accept, exactly which external services will be contacted, and whether any files are stored externally. 4) If you plan to allow autonomous invocation, consider disabling autonomous calls or limiting the skill to user-invoked only until you verify its data handling and trustworthiness. If the publisher cannot provide these details, treat the skill as higher risk and avoid installing it for workflows that involve private or sensitive data.

Like a lobster shell, security has layers — review code before you run it.

latestvk9718h89mxtr9fw905nv5tp5h584877v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments