ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Art Class Video

v1.0.0

Provides short-form videos showcasing kids' art classes to help parents see class atmosphere, student work, instructors, and enrollment details.

0· 32·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name and description promise delivering short-form videos showcasing classes, but the bundle is instruction-only and declares no credentials, no required binaries, and no install — there are no concrete mechanisms for creating, fetching, or hosting videos. An apiDomain and account are present in the header, but the skill does not document how the agent should interact with that service, which is inconsistent with the stated purpose.
Instruction Scope
SKILL.md is essentially marketing/promotional text rather than runtime instructions. It does not tell the agent to read files, call specific endpoints, or use credentials (so no obvious exfiltration). However the presence of an external apiDomain (https://mega-api-dev.nemovideo.ai) and an account name is ambiguous: it could be intended as an endpoint the agent should call, but there are no explicit API paths, auth details, or usage rules.
Install Mechanism
No install spec or code files are present. This lowers the risk from arbitrary code execution because nothing will be written to disk by an installer.
Credentials
The skill requests no environment variables or credentials, which is safe but surprising given it claims to provide videos (typically requires access to media storage/API keys). The lack of required credentials means the skill as provided cannot demonstrably access an external video service — another sign of incompleteness or poor documentation.
Persistence & Privilege
Flags show no forced persistence (always: false) and normal model invocation is allowed. There is no indication the skill alters other skills or system-wide configs.
What to consider before installing
This skill looks like promotional copy, not an actionable integration. Before installing: ask the publisher for documentation that explains how videos are created/hosted, what APIs are called, and what credentials (if any) are required. Verify ownership of the listed apiDomain and request sample API endpoints and auth flows. If you install anyway, prefer installing in a restricted or test agent, disable autonomous network access until you confirm behavior, and avoid providing any sensitive data (student/parent PII or private keys). The absence of installs/credentials reduces immediate risk, but the header fields make the skill ambiguous — treat it as incomplete and demand clarification.

Like a lobster shell, security has layers — review code before you run it.

latestvk9794x67nmj05jjd328gx9kbts841kaf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments