ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sales Pitch Video

v1.0.2

Create persuasive sales pitch and product demo videos with AI-powered conversion content.

0· 58·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes an API-driven video generator that reasonably needs an API token (Authorization: Bearer YOUR_TOKEN) and may read a NemoVideo config; however the registry metadata presented to you earlier lists no primary credential or required env vars while the SKILL.md sets primaryEnv: NEMO_TOKEN and a configPaths entry (~/.config/nemovideo/). That mismatch is inconsistent and unexplained.
Instruction Scope
The runtime instructions themselves are narrowly scoped: they show how to call the NemoVideo API (curl example) and explain parameters and outputs. The SKILL.md does not instruct the agent to read arbitrary files or exfiltrate data. However the metadata's configPaths entry implies the skill might read ~/.config/nemovideo/, but the instructions don't document what would be read or why.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written to disk by an installer. Low install risk.
!
Credentials
Using an API token (NEMO_TOKEN) is proportionate for a cloud video-generation API. But the registry snapshot you were shown lists no required env vars while SKILL.md declares a primaryEnv and a user config path. Requiring access to ~/.config/nemovideo/ could expose stored credentials or settings; the skill does not justify or document reading that path.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. Autonomous invocation is allowed (platform default), which is expected for skills that call remote APIs.
What to consider before installing
Before installing, confirm which credential the skill actually needs (NEMO_TOKEN) and whether you must place it in an environment variable or in ~/.config/nemovideo/. Ask the publisher to reconcile the registry metadata with the SKILL.md (registry showed no primary credential but SKILL.md declares NEMO_TOKEN and a config path). Only provide a token with the minimum required scope, consider using a revocable/test token first, and avoid placing long-lived high-privilege secrets in a shared ~/.config location unless you trust the vendor. If you need higher assurance, request explicit documentation from the author about what, if anything, the skill reads from ~/.config/nemovideo/ and whether it transmits any local files.

Like a lobster shell, security has layers — review code before you run it.

latestvk976qx3v6yk494yezq5qx1gm8583vwha

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments