ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Eco Tourism Video

v1.0.0

Promote sustainable travel, wildlife conservation, and green destinations with AI — generate eco tourism videos covering carbon-conscious travel planning, wi...

0· 50·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description describe an AI video generator for eco‑tourism, which reasonably could require an external video service token and a config directory. However, metadata is internally inconsistent: primaryEnv is set to NEMO_TOKEN but requires.env is an empty list. That mismatch makes it unclear whether the skill actually needs credentials or whether metadata is stale/misconfigured.
Instruction Scope
The SKILL.md content focuses on producing eco‑tourism video content, sustainability frameworks, and ethical guidance. There is no evidence in the provided text that the skill instructs the agent to read unrelated system files, aggregate system secrets, or exfiltrate data. The only system access implied by metadata is the listed config path (~/.config/nemovideo/), which could be reasonable for a client storing a token or settings.
Install Mechanism
This is an instruction‑only skill with no install spec and no code files — lowest installation risk. Nothing will be written to disk by an installer because there is no install mechanism declared.
!
Credentials
Metadata declares a primaryEnv (NEMO_TOKEN) and a config path (~/.config/nemovideo/), but requires.env is empty and SKILL.md does not explicitly state how the token is used. Requiring a token would be proportionate for a third‑party NemoVideo API, but the omission from requires.env is a configuration/information gap. Users should assume a credential may be needed; confirm what token scope is required and why before providing secrets.
Persistence & Privilege
The skill does not request always:true, has no install/daemon behavior, and does not declare system‑wide modifications. Autonomous invocation is enabled (default) but not combined with other high‑risk indicators.
What to consider before installing
This skill appears to be what it claims (an AI eco‑tourism video generator) but there are mismatches you should resolve before installing or providing secrets. Ask the publisher these questions: (1) Why is NEMO_TOKEN listed as primaryEnv but not included in requires.env — will the skill actually need a token? (2) What is the NemoVideo service endpoint and scope of the token (read‑only/limited vs full account access)? (3) What data is stored in ~/.config/nemovideo/ and is it encrypted? (4) Provide a source or homepage and privacy/security documentation so you can audit how credentials are used. If you must test, use a restricted token with minimal permissions and monitor access; do not reuse high‑privilege credentials (e.g., account admin keys).

Like a lobster shell, security has layers — review code before you run it.

latestvk970m8rjwrdaast34ydsh9947983tr32

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌿 Clawdis
Primary envNEMO_TOKEN

Comments