ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Corporate Event Planner Video — AI Marketing Videos for Corporate Event Companies and B2B Event Planners

v1.0.0

A procurement director at a 400-person tech company opens three vendor tabs before her 9am standup. Tab one: a corporate event company with a homepage video...

0· 38·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to use a NemoVideo service to build marketing videos from event photos/footage — requiring a service token (NEMO_TOKEN) and a config path (~/.config/nemovideo/) is consistent with that purpose. However the registry metadata lists no required env vars while the SKILL.md metadata declares a primaryEnv (NEMO_TOKEN) and a config path, creating an inconsistency between claimed requirements and declared requirements.
Instruction Scope
SKILL.md is an instruction-only skill that describes how NemoVideo will assemble footage and images into marketing videos. From the provided excerpt there is no evidence the instructions demand unrelated system access. That said, the metadata's reference to a user config path (~/.config/nemovideo/) implies the skill may read local configuration or credentials; the SKILL.md excerpt does not clearly document exactly which local files or user data will be read or transmitted to the remote service.
Install Mechanism
No install spec and no code files are present; no binaries are installed and nothing is written to disk by an installer. Instruction-only skills have the lowest install risk.
!
Credentials
A primary credential NEMO_TOKEN is declared (SKILL.md metadata) but the registry 'required env vars' list is empty — this mismatch is concerning. Requesting a single API token for a video processing service is plausible and proportionate for the stated purpose, but the skill also references a config path (~/.config/nemovideo/) which could expose additional local secrets or tokens if used. The skill does not declare what scopes the token requires or exactly what data is uploaded.
Persistence & Privilege
always is false and there is no indication the skill requests permanent privileged presence or modifies other skills. Autonomous invocation is allowed (platform default) but not by itself a reason for concern. There is no install-time persistence requested.
What to consider before installing
This skill appears to rely on a NemoVideo service and expects a service token (NEMO_TOKEN) and possibly a local config at ~/.config/nemovideo/. Before installing, verify the NemoVideo service and operator: find an official homepage, documentation, and privacy/security policy. Ask the publisher how NEMO_TOKEN is used, what token scopes are required, and whether any local files from ~/.config/nemovideo/ will be read or uploaded. Do not provide tokens that grant broad access to unrelated cloud accounts or secrets. If you cannot confirm the vendor or the exact data flows (what files are uploaded, retention, and who can access processed media), treat this as higher risk and avoid installing or provide a restricted test token and non-sensitive test media first.

Like a lobster shell, security has layers — review code before you run it.

latestvk972ejajb3ydvdffcxt089p4qh83x4ph

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏢 Clawdis
Primary envNEMO_TOKEN

Comments