ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fitness Challenge Video

v1.0.0

Fitness challenges get 3x more social media engagement than standard workout posts. Your 30-day challenge, transformation journey, and weekly workout documen...

0· 20·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description match a service that would plausibly need an API token (NEMO_TOKEN) to upload/process videos. However the registry listing earlier shows no required config paths while the SKILL.md metadata includes configPaths [~/.config/nemovideo/], which is an inconsistency. That config path would imply the skill might read/write a local service config, which is not explained by the description.
!
Instruction Scope
SKILL.md is high-level and open-ended: it tells the agent to 'upload your workout footage' and 'assemble' videos but gives no API endpoints, no explicit instructions for how uploading happens, and no constraints on what files to read. This vagueness gives the agent broad discretion to request, read, or transmit user files and credentials without clear boundaries or auditing instructions.
Install Mechanism
There is no install spec and no code files — this is instruction-only, which minimizes disk-write/installation risk. No third-party downloads or package installs are requested.
Credentials
The skill only requires a single environment variable (NEMO_TOKEN), which is proportionate for a hosted video-processing API. But the SKILL.md metadata's configPaths entry (not reflected in the registry's 'Required config paths') raises the possibility of local config access; the token and potential config access should be explained by the author.
Persistence & Privilege
always:false and no install steps are defined. The skill does not request permanent presence or modifications to other skills or global agent settings.
What to consider before installing
Before installing, ask the publisher for specifics: which NemoVideo API/endpoint will be used, exactly how NEMO_TOKEN is used and what permissions it grants, whether footage is uploaded to a third-party server and how long it's stored, and whether the skill will read any local config at ~/.config/nemovideo/. Prefer scoped or revocable tokens and avoid supplying your primary account credentials. If possible, test with a throwaway token and non-sensitive sample videos first. If the author cannot explain where files are uploaded and how credentials are used, treat the skill as risky and do not provide real tokens or private footage.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f5vk9f4e4e41ae4n8qc10e1848gc2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💪 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments