ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hiking Video Maker

v1.0.0

Describe your hike and NemoVideo creates the video. Day hike trail guides, multi-day backpacking trip documentation, summit push content, trail condition rep...

0· 80·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (creating hiking videos via the NemoVideo backend) matches the network calls and token usage described in SKILL.md. However, the registry metadata shown earlier reported no required env vars or config paths, while the SKILL.md declares NEMO_TOKEN and ~/.config/nemovideo/ as required — an incoherence between declared registry fields and the instructions.
Instruction Scope
SKILL.md directs the agent to proactively greet the user, read ~/.config/nemovideo/client_id (or create and save one), call the external NemoVideo anonymous-token endpoint with curl, and store the returned token for the session. These actions are within the expected scope for connecting to a third‑party video service, but they do include reading and writing a file under the user's home directory and making outbound network requests to mega-api-prod.nemovideo.ai.
Install Mechanism
No install spec or code files are present; this is an instruction-only skill so nothing is written to disk by an installer. That lowers installation risk. The only persistence is the SKILL.md guidance to write a client_id file to ~/.config/nemovideo/.
!
Credentials
SKILL.md requires NEMO_TOKEN (primaryEnv) and a config path in the user's home directory. Those credentials/configs are proportionate to a service-backed video creation skill, but the earlier registry metadata claiming no required env vars/config paths is inconsistent. The skill's instructions also imply the agent will store a token for the session (and possibly write a client_id file) — users should understand what is stored and where.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. Autonomous invocation (disable-model-invocation:false) is the platform default. The only persistent change instructed is writing ~/.config/nemovideo/client_id, which is restricted to the skill's own config directory but should be disclosed.
What to consider before installing
This skill appears to be a thin wrapper for the NemoVideo service and asks the agent to create/read a client_id file in ~/.config/nemovideo/ and to obtain/store an anonymous NEMO_TOKEN via an HTTP request. The main red flags are (1) the registry metadata does not list the env var or config path but SKILL.md does — ask the publisher or inspect the full SKILL.md to reconcile that, and (2) the skill will write a file to your home directory and create/stash a token for the session. Before installing, verify the NemoVideo domain (mega-api-prod.nemovideo.ai) and the publisher (check the GitHub repository linked), confirm how long the token is stored and where, and consider using a throwaway or scoped credential. If you need stronger assurance, request the complete SKILL.md and any real code, or run the skill in a restricted/sandboxed environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk975mxn03z5tkm5g8t58exy2p183rdtx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments