ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Tutoring Video Maker

v1.0.0

Create one-on-one quality tutoring sessions at scale through video with AI — generate tutoring videos that replicate the personalized explanation, patient pa...

0· 45·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Requesting a service token (NEMO_TOKEN) and a NemoVideo config directory (~/.config/nemovideo/) is coherent with a hosted video-generation API. However the skill declares primaryEnv: NEMO_TOKEN while the embedded 'requires.env' list is empty — an internal inconsistency that should be corrected/clarified.
!
Instruction Scope
This is an instruction-only skill: the SKILL.md directs the agent at runtime. The provided SKILL.md was long and truncated here, and the static scan flagged unicode-control-chars (a prompt-injection pattern). Instruction-only skills can exercise broad power, and hidden/unicode control characters in the instructions are a red flag because they can alter parsing or stealthily change agent behavior. You should review the full SKILL.md (raw) for any steps that read arbitrary files, environment variables, shell history, or exfiltrate data to endpoints other than the NemoVideo service.
Install Mechanism
No install spec and no code files — lowest-risk delivery mechanism. Nothing will be written to disk by an installer step, but runtime instructions in SKILL.md still govern behavior.
Credentials
Requiring a single service token (NEMO_TOKEN) is proportionate for a third‑party API. The skill also references a config path (~/.config/nemovideo/) which could be reasonable for saving tokens or settings. The inconsistency between 'primaryEnv' and the empty 'requires.env' list is confusing and should be resolved before trusting the token. No other unrelated secrets are requested.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent/system-wide privileges in the registry metadata. No evidence it modifies other skills or system settings was found in the metadata.
Scan Findings in Context
[unicode-control-chars] unexpected: Hidden unicode control characters are not expected in a benign SKILL.md. They can be used to obfuscate or inject instructions that alter how the agent reads or executes the skill. This finding warrants manual review of the raw file for invisible characters and for unexpected instruction fragments.
What to consider before installing
Proceed with caution. Before installing or enabling this skill: (1) ask the publisher to resolve the metadata inconsistency (NEMO_TOKEN should appear in requires.env or the docs should explain how credentials are provided); (2) obtain and inspect the full raw SKILL.md (not rendered) for any hidden characters or instructions that read unrelated user files, environment variables, or that send data to unknown endpoints; (3) verify the NemoVideo service’s domain and API endpoints and confirm that the skill only communicates with those endpoints; (4) store NEMO_TOKEN with least privilege and consider a scoped/test token first; (5) test the skill in a sandboxed environment with no sensitive credentials present. If you cannot get a clean, transparent SKILL.md and a clear explanation of why the token/config path is needed, do not enable the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk977gg3qhc5eha33z8p6r35s0583v16t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👩‍🏫 Clawdis
Primary envNEMO_TOKEN

Comments