ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Poll Creator

v1.0.1

Create engaging poll and survey videos for social media with AI — produce this-or-that comparisons, opinion polls, audience surveys, would-you-rather scenari...

0· 56·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description align with a service that would legitimately need an API token (NEMO_TOKEN) to create videos on nemovideo.com. However, the registry metadata lists no required env vars while the SKILL.md metadata declares a primaryEnv (NEMO_TOKEN) and a config path (~/.config/nemovideo/), which is inconsistent and should be clarified.
Instruction Scope
The provided SKILL.md is prose describing features and use cases and does not show explicit runtime commands in the excerpt. Because this is an instruction-only skill (no code files), the runtime behavior depends entirely on those instructions; the visible content stays within the purpose, but the SKILL.md metadata indicates the agent may access a user config path. The full SKILL.md should be checked for any steps that read arbitrary files, shell history, or other environment variables.
Install Mechanism
There is no install spec and no code files — this lowers risk because nothing is downloaded or written to disk by an installer. The skill is instruction-only.
!
Credentials
A primary credential (NEMO_TOKEN) is declared, which is plausible for calling an external NemoVideo API, but registry metadata earlier stated 'Required env vars: none'. The SKILL.md metadata also lists a config path (~/.config/nemovideo/). Requiring access to a home config directory is more intrusive than asking for a single token and should be justified (e.g., to find a cached token). The mismatch and potential for reading a user's config files are disproportionate without further explanation.
Persistence & Privilege
The skill does not request always:true and is user-invocable only; autonomous invocation is allowed by default which is normal. There is no indication it modifies other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (create poll videos) but there are transparency problems you should resolve before installing. Ask the publisher to confirm: (1) why NEMO_TOKEN is needed and whether a short-lived, scoped token can be used; (2) whether the skill will read ~/.config/nemovideo/ and exactly what it will read from there (avoid broad directory reads); (3) the exact API endpoints the skill will call and whether data from your files or other env vars will be sent to third parties. Because this is an instruction-only skill (no code to inspect), verify the official repository and privacy/security docs on nemovideo.com or the listed GitHub repo. If you must test it, use a minimal, isolated account and a limited-scope token (or a throwaway machine/user) until you confirm it only uses the declared credential and endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk972ezac5k3ybz8nhw8xbtwxph83t074

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Primary envNEMO_TOKEN

Comments