ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Music Lesson Video

v1.0.0

Learn any instrument or music skill through clear video instruction with AI — generate music lesson videos covering instrument technique, music theory, ear t...

0· 39·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description claim to generate AI music lesson videos. Requesting a single service credential (NEMO_TOKEN) and a NemoVideo config directory (~/.config/nemovideo/) is consistent with integrating an external NemoVideo API. However, the registry metadata earlier listed no required config paths while SKILL.md metadata includes ~/.config/nemovideo/ — this mismatch is an incoherence that should be resolved with the author.
Instruction Scope
This is an instruction-only skill (no code files), and the provided SKILL.md content appears largely marketing and use-case text. There are no obvious instructions in the visible snippet that ask the agent to read arbitrary system files or unrelated environment variables, but the SKILL.md metadata references a config path which implies the skill may read ~/.config/nemovideo/. Because SKILL.md is the runtime instruction surface, you should review the entire SKILL.md to confirm it does not direct the agent to read other sensitive files or exfiltrate data.
Install Mechanism
No install spec and no code files — the lowest-risk install model. The skill is instruction-only so it won't write binaries to disk by itself.
Credentials
The single primary credential NEMO_TOKEN is reasonable for a third‑party video generation API. However, the skill requests access to a user config path (~/.config/nemovideo/) according to SKILL.md metadata (despite registry metadata saying none), which could expose stored tokens or config. Confirm what permissions the NEMO_TOKEN grants and that it is scoped only to the NemoVideo service — do not reuse high-privilege or unrelated credentials.
Persistence & Privilege
always is false and there is no install behavior that requests persistent system presence. The skill does not request elevated platform privileges in the provided metadata.
What to consider before installing
This skill could be legitimate, but exercise caution before installing. Actions to take: 1) Ask the author for a source repository or homepage and for a clear description of the NemoVideo API endpoints the skill calls. 2) Verify the exact permissions and scope of NEMO_TOKEN — do not supply broad tokens (AWS, GitHub, etc.). 3) Inspect the full SKILL.md to confirm it does not instruct the agent to read unrelated files or network to unexpected hosts. 4) If you must try it, create a dedicated, limited-scope NemoVideo API token and run the skill in a sandboxed environment; avoid uploading sensitive or private audio/video until you trust the service. 5) Resolve the metadata inconsistency about config paths (~/.config/nemovideo/) before usage. If the author cannot provide a verifiable source or token-scope documentation, treat the skill as risky and avoid installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a6c1gexr4w6pmjx2dvcjccn83vdhq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
Primary envNEMO_TOKEN

Comments