ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Birthday Video Maker

v1.0.0

It is the week before your parent's seventieth birthday. You have four hundred photos spanning fifty years on your phone, a folder of childhood videos from a...

0· 33·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description describe assembling photos/videos and calling a video-generation API — that matches the curl example which uses a NEMO_TOKEN bearer token. However, registry metadata at the top lists "Required env vars: none" while the SKILL.md and metadata inside it reference a primaryEnv NEMO_TOKEN. The SKILL.md also declares a config path (~/.config/nemovideo/) that is not used in the instructions; this discrepancy should be clarified.
!
Instruction Scope
Runtime instructions are narrowly scoped to uploading media to a single external API (mega-api-prod.nemovideo.ai) via an authenticated POST. That is coherent for a cloud video service, but the skill explicitly directs users to upload potentially highly sensitive personal photos/videos and to use shared-folder links; the skill has no homepage or visible privacy/security policy, and the API host is unfamiliar. This raises privacy and data-exfiltration concerns even though the technical actions described are consistent with the purpose.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest-risk install mechanism.
Credentials
Requesting a single API token (NEMO_TOKEN) is proportionate to calling a hosted video-generation API. But the registry/summary contradictions about required env vars, plus the declared config path (~/.config/nemovideo/) that the instructions never reference, are inconsistent and merit clarification. Ensure the token's scope is minimal and documented before providing it.
Persistence & Privilege
The skill is not always-on and does not request persistent or system-wide privileges. Autonomous invocation is allowed by default (normal for skills); there is no evidence this skill modifies other skills or system settings.
What to consider before installing
Before installing: 1) Confirm where NEMO_TOKEN comes from and whether it has limited scope (read-only vs full account access). 2) Verify the service domain (mega-api-prod.nemovideo.ai) and ask for a privacy/security policy and data retention policy — you will be uploading personal photos/videos. 3) Don’t upload highly sensitive media (financial, medical, identity documents) until you trust the provider; test with non-sensitive samples first. 4) Ask the publisher to fix metadata inconsistencies (registry says no required env vars but SKILL.md uses NEMO_TOKEN and a config path). 5) If you need stricter privacy control, consider doing local editing or using a vetted service with clear contracts. If the publisher cannot answer these questions, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk970561whqawrnqstjjzkt93d983xcc6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎂 Clawdis
Primary envNEMO_TOKEN

Comments