ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fitness Video Maker

v1.0.4

Fitness Video Maker — Create Workout and Exercise Videos with AI. Tell the AI what you want—it executes workout content automatically. Describe your workout...

0· 144·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, apiDomain (mega-api-prod.nemovideo.ai) and primaryEnv (NEMO_TOKEN) are coherent for a cloud-based video generation service. No unrelated binaries or unrelated env vars are requested.
Instruction Scope
SKILL.md is primarily descriptive and contains no explicit runtime commands. It references uploading media and exporting MP4s (expected). However the SKILL.md metadata includes a config path (~/.config/nemovideo/) that suggests the skill may read local configuration files — the registry metadata shown earlier did not list required config paths, so it's unclear whether the agent will access that directory at runtime.
Install Mechanism
No install spec and no code files (instruction-only). This has a lower disk/execution risk because nothing is downloaded or installed by the skill itself.
Credentials
Only one credential (NEMO_TOKEN) is required which is reasonable for using a remote API. The presence of a configPath in SKILL.md is disproportionate unless it's only to find a locally cached token — the registry metadata contradicted this. Confirm whether the skill will read ~/.config/nemovideo/ and what it expects to find there.
Persistence & Privilege
Skill is not always-enabled and does not request persistent/privileged placement. It does not declare modifications to other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (use the NemoVideo API to create fitness videos) and only asks for a single API token, but there are two small inconsistencies you should verify before installing: (1) SKILL.md mentions a config path (~/.config/nemovideo/) that could let the skill read local files — confirm whether the skill actually accesses that directory and why; (2) the registry metadata did not list that config path, so ask the publisher or inspect code/repository to confirm behavior. If you proceed, create and use a scoped/limited API token (not your main account credentials), verify the apiDomain matches the vendor, and review NemoVideo's privacy policy for uploaded media. If you can't verify the config-path usage or trust the publisher, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c49vzamq83z2m31zxyde7t583wx8p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💪 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments