ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Government Explainer Video

v1.0.0

Your agency processes 40,000 benefit applications a year and 60% of them arrive incomplete because applicants didn't understand the instructions — instructio...

0· 21·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (create government explainer videos) aligns with the single API call shown in SKILL.md to nemo's video generation endpoint; requiring an API token (NEMO_TOKEN) is reasonable for that purpose. The endpoint domain (mega-api-prod.nemovideo.ai) should be validated as the legitimate vendor endpoint by the buyer.
!
Instruction Scope
Runtime instructions are minimal and only show a curl POST using $NEMO_TOKEN, which is coherent for remote video generation. However, there is no guidance about redacting or handling sensitive personal data or PII before sending (public-benefit workflows often include SSNs, addresses, medical info). The skill gives the agent broad discretion to construct the POST body and does not limit or warn about transmitting applicant data.
Install Mechanism
Instruction-only skill with no install spec and no code files — low install risk because nothing is written to disk by the skill itself.
!
Credentials
The declared single required environment variable (NEMO_TOKEN) is proportionate. However, the metadata also declares a required config path (~/.config/nemovideo/) that is not referenced in SKILL.md; asking for a user config path is more invasive than necessary and creates ambiguity about whether local files (which may contain other secrets) will be read.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent/always-on presence or elevated agent-wide privileges in the provided metadata.
What to consider before installing
This skill appears to call an external video-generation API and needs an API token (NEMO_TOKEN) — that is reasonable for its stated purpose. Before installing, verify the nemo vendor and the endpoint (mega-api-prod.nemovideo.ai) are legitimate for your organisation. Ask the publisher to clarify why ~/.config/nemovideo/ is declared as a required config path (the SKILL.md does not use it); if unnecessary, remove that requirement. Most importantly, do not send personally identifying or sensitive applicant data to the service until you have: (1) confirmed the vendor's data retention and privacy policies, (2) confirmed token scope and access controls, and (3) tested with scrubbed/sample data. If you already supplied a token and later feel uncomfortable, rotate/revoke the token. If you need help evaluating vendor trust, ask IT or procurement for an approved vendor check.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ay8s0g174ven7xy3aqm76k9848ppq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏢 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments