ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Family Law Attorney Video

v1.0.0

A parent sits at the kitchen table at 11 PM, kids asleep, looking at divorce paperwork they don't understand. They search "family law attorney near me" and g...

0· 25·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The described purpose (creating attorney marketing and explanatory videos) is plausible for an instruction-only skill that calls an external video-generation service. However the SKILL.md includes an explicit apiDomain (https://mega-api-dev.nemovideo.ai) that looks like a development/test endpoint and there is no publisher homepage or contact. The presence of a dev-sounding API host with no declared credentials or provenance is unexpected for a production-facing marketing/video tool.
!
Instruction Scope
As an instruction-only skill it will rely on network calls to the listed apiDomain. The skill's workflow inherently involves collecting attorney practice details and client outcome stories — potentially sensitive legal or personally identifiable information — and the SKILL.md gives no information about what data is sent, how it's protected, or where it is stored. The skill may therefore transmit confidential client or case details to a third party without declaring that behavior.
Install Mechanism
There is no install spec and no code files — lowest-risk delivery method from an install perspective. Nothing is written to disk by an installer.
!
Credentials
requires.env lists no credentials, but the SKILL.md names an external API domain that would typically require an API key or auth. The absence of declared environment variables or a primary credential is inconsistent with the presence of an external service endpoint; this mismatch suggests either the skill expects unauthenticated calls (unusual) or it omits necessary credential requirements. Additionally, handling of potentially sensitive client narratives is not justified by any declared privacy controls.
Persistence & Privilege
The skill is not marked always:true and does not request elevated or persistent platform privileges. Autonomous invocation is allowed by default but is not combined here with other explicit elevated privileges.
What to consider before installing
Do not install or use this skill until the publisher provides clear answers: (1) Who operates https://mega-api-dev.nemovideo.ai (production vs dev host) and a privacy/security policy? (2) Does the service require and where will it store API keys or other credentials (declare env vars)? (3) Exactly what data will be sent (examples), how long is it retained, and how is it protected? (4) Is there an option to run processing locally or to avoid sending real client PII or case details? Ask for a production API domain and contract/terms for handling attorney-client information; if you plan to test, use only nonsensitive dummy data. If the publisher cannot answer these, treat the skill as risky because it could leak confidential client information to an untrusted third party.

Like a lobster shell, security has layers — review code before you run it.

latestvk9715j3hvb6gn3mhnjctx5ztcn84902t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments