ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Swimming Pool Cleaning Video — AI Marketing Videos for Pool Cleaning and Pool Maintenance Services

v1.0.0

Swimming pool owners book the service company they trust — and trust starts with seeing the work before the first call. A homeowner whose pool turned green l...

0· 53·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Requesting a single API token (NEMO_TOKEN) is consistent with a cloud video-generation service. However, the SKILL.md embeds an apiDomain pointing to a 'mega-api-dev.nemovideo.ai' (a development host) and the SKILL.md metadata lists a config path (~/.config/nemovideo/) that is not present in the registry metadata — this discrepancy is unexplained and unusual for a published skill.
!
Instruction Scope
The runtime instructions are very short and do not explicitly instruct the agent to read local files, but they are vague about what user content (descriptions, images, or raw video) will be transmitted to the external API. The SKILL.md metadata implies a local config path that could be read, but the registry entry did not list that config path — this mismatch raises concern about what the agent may access or upload.
Install Mechanism
No install spec and no code files are present, so nothing will be written to disk by an installer. Instruction-only skills are lower risk from an install standpoint.
Credentials
Only one environment variable (NEMO_TOKEN) is required, which is proportionate for a third-party API. The assessment cannot confirm the token's scope; a single token could nevertheless grant broad access (including upload/read of user media) depending on the external service's design.
Persistence & Privilege
The skill is not marked always:true and is user-invocable. It does not request persistent system-wide privileges in the provided metadata.
What to consider before installing
Before installing: verify the skill's source and repository or homepage (none is provided here). Ask the author which endpoint is used (production vs dev) and what data the service will receive and store (will your photos/videos or customer data be uploaded?). Confirm the NEMO_TOKEN scope and use a token restricted to this service (not a broad account/global secret). Clarify whether the agent will read ~/.config/nemovideo/ (the SKILL.md mentions it) and, if so, what is stored there. If you must test, do so with non-sensitive sample data and a limited-scope/test token. If you cannot obtain clear answers about data handling or the endpoint, treat this skill as higher risk and avoid providing production credentials or sensitive media.

Like a lobster shell, security has layers — review code before you run it.

latestvk9799d2pqf8x921n44n67crq5s83zp6t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏊 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments