ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skin Care Clinic Video — AI Marketing Videos for Aesthetic Skin Clinics and Beauty Dermatology

v1.0.0

Picture this: a patient drives past your skin care clinic every morning on the way to work. She has been thinking about getting her melasma treated for eight...

0· 63·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to produce marketing videos for skin clinics — that plausibly requires calling an external video-generation API and thus a service token (NEMO_TOKEN). However the registry metadata lists primaryEnv: NEMO_TOKEN while the declared required env list is empty, and the SKILL.md never documents how or when that token or the config path (~/.config/nemovideo/) are used. The presence of an API domain in the SKILL.md header is consistent with an external service but lacks operational detail.
!
Instruction Scope
The SKILL.md is an instruction-only document with only marketing-oriented prompts (describe treatments, target concerns). It does not describe how images or source media are provided, whether the agent will read local files, nor how patient photos (potentially health-related data) are uploaded, stored, or shared with the external API. Metadata references a config path but the runtime instructions do not explain any file or credential access — a mismatch that could hide undescribed behavior.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only. That limits the surface written to disk and reduces install-time risk.
!
Credentials
A primary credential (NEMO_TOKEN) and a config path (~/.config/nemovideo/) are declared, which is reasonable for a hosted API service. However the registry also lists no required env vars and the SKILL.md omits any instructions about authentication, token scope, or where tokens are read from. This inconsistency and lack of justification for credentials is concerning, especially given that the service will likely accept image uploads containing sensitive health information.
Persistence & Privilege
always is false and there is no install or persistent modification claimed. The skill does not request elevated persistent privileges in the manifest.
What to consider before installing
This skill appears to be an instruction-only connector to an external video-generation API, but the package metadata is inconsistent and important privacy and credential details are missing. Before installing or using it: - Ask the publisher (or the registry) to clarify exactly how NEMO_TOKEN is used, where it is read from (env vs config file), and what token scopes or permissions are required. - Request documentation of what data (images, text, metadata) will be transmitted to https://mega-api-dev.nemovideo.ai, how long data is retained, and whether patient-identifying information is removed or protected. Video creation for clinics often involves health-related images — avoid uploading real patient photos until you have explicit privacy guarantees. - Prefer a skill with a known source/homepage and explicit API/docs. If you must test, use synthetic or anonymized images, a dedicated limited-scope token, and monitor network calls. - The manifest mismatch (primaryEnv set but required env empty, plus an unexplained config path) is a red flag — treat this as untrusted until the author provides clarifying documentation.

Like a lobster shell, security has layers — review code before you run it.

latestvk975pm67a1r2pef9jygwtbd6ys83zh7z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Primary envNEMO_TOKEN

Comments