ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Meditation App Promo Video

v1.0.0

Your meditation app has guided sessions for anxiety, sleep, focus, and stress that users consistently describe as the most effective they've tried — and your...

0· 22·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's description is a promotional-video generator and the only required credential is NEMO_TOKEN, which matches the example curl call to nemovideo.ai; this is proportionate. However, the SKILL.md metadata also lists a required config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — that mismatch is unexplained.
Instruction Scope
The SKILL.md contains a single concrete runtime instruction: a curl POST to https://mega-api-prod.nemovideo.ai/api/v1/generate with an Authorization: Bearer $NEMO_TOKEN header. The instructions do not request reading unrelated files or env vars, nor do they instruct exfiltration to unexpected endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself. That is the lowest-risk install model.
Credentials
Only NEMO_TOKEN is required and is directly used in the provided curl call — that is proportionate. The SKILL.md metadata also declares a config path (~/.config/nemovideo/) which could grant local-file access if honored by the platform; the registry listing did not reflect this. Confirm whether the platform will expose that path to the skill or require it.
Persistence & Privilege
always is false and the skill does not request any special persistent privileges. The skill can be invoked autonomously (platform default), which is normal; no additional privileged behavior is requested.
What to consider before installing
This skill appears to do what it says: it sends your app description to Nemovideo's API using the NEMO_TOKEN. Before installing: (1) verify the NEMO_TOKEN is scoped and revocable (use a token with minimal scope); (2) confirm the platform's handling of the declared config path (~/.config/nemovideo/) — is it actually required or exposed?; (3) verify the endpoint (mega-api-prod.nemovideo.ai) and the vendor (Nemovideo) via a homepage or vendor docs — the skill has no source/homepage listed; (4) review the service's privacy/retention policy because you will be sending app content and potentially user-facing text to an external API; (5) rotate or revoke the token if you uninstall the skill. These steps will reduce risk from the unknown provenance and the metadata inconsistency.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fw4wdwxv9pm9e9ytrpzg1zd8496k5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧘 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments