ClawHub

Banking Explainer Video

v1.0.0

Your bank launched a new high-yield savings account, a mobile check deposit feature, and a small business lending program last quarter — and the customers wh...

0· 28·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description match the runtime instructions: the SKILL.md demonstrates sending a POST to a NemoVideo API to generate explainer videos. Requesting a single NEMO_TOKEN credential is appropriate for an external API-based video-generation service. One inconsistency: the registry metadata at the top reported no required config paths, while the SKILL.md metadata includes configPaths: ["~/.config/nemovideo/"]. This discrepancy should be clarified but does not by itself indicate malicious intent.
Instruction Scope
The provided runtime instructions are narrow: a single curl POST to https://mega-api-prod.nemovideo.ai/api/v1/generate using Authorization: Bearer $NEMO_TOKEN and a JSON payload describing the institution/product. The instructions do not tell the agent to read unrelated files, shell history, or other environment variables. Note: SKILL.md metadata references a config path, but the example usage does not show reading any files from that path.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That is the lowest-risk install model.
Credentials
Only one environment variable is required (NEMO_TOKEN) and it is the declared primary credential. That aligns with calling a third-party API. No other secrets, keys, or unrelated credentials are requested.
Persistence & Privilege
The skill does not request always: true and uses default invocation settings (user-invocable, model invocation allowed). It does not request system-level configuration changes or elevated privileges.
Assessment
This skill appears coherent for calling a third-party video-generation API, but verify a few things before installing or providing an API token: 1) Confirm the NemoVideo service and the domain (mega-api-prod.nemovideo.ai) are legitimate and match your vendor contract — the skill has no homepage or publisher details. 2) Clarify the configPath discrepancy (~/.config/nemovideo/) in the SKILL.md metadata — ask whether the skill will read local config files. 3) Limit the scope of NEMO_TOKEN if possible (use a token with minimal permissions or audit logs), and avoid sending sensitive customer PII to the service without confirming retention, encryption, and compliance with your bank’s policies. 4) If you require higher assurance, ask the publisher for a privacy/security whitepaper or an official integration guide before handing over credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9772prh1svgtgq9a0mapnk4ss849g8s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏦 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments