ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wedding Venue Promo Video — AI Marketing Videos for Wedding Venues and Event Spaces

v1.0.0

Couples book the venue they can picture themselves in — and the venue that gets pictured first is the one that shows up in their Instagram feed with a 60-sec...

0· 64·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (generate short marketing videos for venues) is coherent with the skill name and description. However the metadata declares a primary credential (NEMO_TOKEN) and a config path (~/.config/nemovideo/) that are not reflected in the SKILL.md instructions; either the skill integrates with an external 'Nemo' service (reasonable) or the credential/config declaration is spurious. This mismatch is unexplained.
!
Instruction Scope
The SKILL.md is high-level marketing copy and gives no concrete runtime instructions (no API endpoints, no file reads, no commands). It does not mention using any environment variables or config files, despite metadata that claims such artifacts exist. The vagueness grants broad discretion and leaves unanswered whether the skill will read local config, upload venue photos, or transmit user data to external services.
Install Mechanism
No install spec and no code files are present, so nothing will be written to disk by an installer. Instruction-only skills are lower risk from an install/execution perspective.
!
Credentials
The metadata lists a primaryEnv 'NEMO_TOKEN' and a config path but the SKILL.md lists no required environment variables and makes no mention of needing credentials. Requesting a token without documenting why or how it will be used is disproportionate and unexplained. If the skill truly needs an API token for an external video service, that should be declared and justified in the instructions.
Persistence & Privilege
The skill does not request always-on presence and is user-invocable only; it does not request elevated persistent privileges. No red flags on persistence.
What to consider before installing
This skill reads like a marketing copy without concrete runtime behavior, yet its metadata declares a primary credential (NEMO_TOKEN) and a config path (~/.config/nemovideo/). Before installing or providing any secrets: ask the publisher to explain exactly which API(s) the skill calls, what endpoints and domains will receive your data, why NEMO_TOKEN is needed (and whether it will be stored), whether the skill will read files from ~/.config/nemovideo/, and what user data (photos, venue details, guest info) will be uploaded. If they cannot provide clear, narrow answers and a privacy/data-retention policy, treat the credential requirement as unnecessary and avoid installing or providing tokens. If you proceed, prefer creating a scoped/limited token and test with non-sensitive sample data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aadq6c87wgg97vdz12gb6z583xrmn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💒 Clawdis
Primary envNEMO_TOKEN

Comments