ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hair Salon Promo Video — Attract New Clients with Salon Marketing Videos, Stylist Spotlights, and Before-and-After Transformations

v1.0.0

Your booking calendar has open slots on Tuesday and Wednesday. The stylist chair that should be generating revenue is sitting empty while the salon three blo...

0· 32·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes producing salon promo videos from user-supplied photos/clips and text; nothing in the prose mentions a third-party service named 'Nemo' or any API key. Yet registry metadata declares primaryEnv: NEMO_TOKEN and configPaths: ~/.config/nemovideo/. That credential and config path are not justified by the described functionality and create an unexplained dependency on an external service/config.
Instruction Scope
The SKILL.md itself stays on-topic: it asks the user to describe the salon and supply media and describes the kinds of outputs produced. The instructions do not tell the agent to read arbitrary local files, environment variables, or to transmit data to unspecified endpoints. However, because the metadata claims access to a specific config path and token, there is a gap between what the instructions say the agent will do and what the skill claims it needs — the runtime instructions do not document how or when that token/config would be used.
Install Mechanism
There is no install spec and no code files — this is an instruction-only skill, so nothing will be written to disk by installers. That reduces surface area compared with skills that download or run external code.
!
Credentials
A single required credential (NEMO_TOKEN) is declared as primary, but the SKILL.md does not explain what service this token authenticates to, why it's necessary, or what scope/privileges it needs. The declared config path (~/.config/nemovideo/) suggests the skill might read local configuration or cached credentials. Requesting a token and a config path without explanation is disproportionate for a purely instructional skill that otherwise asks users to upload media directly.
Persistence & Privilege
The skill is not marked always:true and has no install step, so it does not request persistent or privileged system presence. Autonomous invocation is allowed by default (disable-model-invocation: false), which is normal and not by itself a concern.
What to consider before installing
Before installing or enabling this skill, ask the publisher to explain what 'NEMO_TOKEN' is and why the skill needs access to ~/.config/nemovideo/. Specifically: (1) which external service (domain and API) does the token authenticate to? (2) what exact data (photos, videos, salon text, booking links) will be uploaded to that service, and is any personally identifying or sensitive data transmitted? (3) how long are uploads stored, and can you delete them? (4) what minimal token scopes are required and how should the token be provisioned? If the publisher cannot answer, avoid supplying secrets or config files. If you must try the skill, provide non-sensitive test media and a limited-scope/test token, and request source or documentation (homepage, API docs, or source code) so the declared credential and config path can be audited.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a0vyxn4czvb5pap8s6tggnn83y950

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✂️ Clawdis
Primary envNEMO_TOKEN

Comments