ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Passive Income Video

v1.0.0

Describe your passive income stream and NemoVideo creates the video. Dividend investing portfolios, rental property cash flow, digital product income, affili...

0· 74·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (create passive-income videos via NemoVideo) aligns with the SKILL.md: it calls mega-api-prod.nemovideo.ai and needs an API token. However, the registry-level metadata provided with the skill (top-level fields) claims no required env vars or config paths, while SKILL.md explicitly declares NEMO_TOKEN and ~/.config/nemovideo/ as required/used. That discrepancy is an incoherence worth flagging.
Instruction Scope
The SKILL.md instructs the agent to read/write ~/.config/nemovideo/client_id, read an env var NEMO_TOKEN if present, and if not, obtain an anonymous token via a curl POST to https://mega-api-prod.nemovideo.ai and store that token for the session. Those steps are within scope for a remote-video-service integration, but they do include file writes to the user's home config and automatic network calls to a third-party API. There's truncated content (a §3.0 'Create a session' reference) that could include additional behavior not visible here, so some uncertainty remains.
Install Mechanism
There is no install spec and no code files; this is instruction-only. That minimizes disk-level install risk because nothing is downloaded or installed by the skill repository itself.
!
Credentials
Requesting a single service token (NEMO_TOKEN) and storing a client_id in ~/.config/nemovideo/ is proportionate to calling an external video generation API. The concern is the metadata mismatch: the registry summary claims 'Required env vars: none' and 'Required config paths: none', yet SKILL.md lists NEMO_TOKEN and a config path and marks NEMO_TOKEN as primaryEnv. This inconsistency could be accidental, but it means automated permission/consent checks may be inaccurate and users could be surprised by environment/config access.
Persistence & Privilege
The skill does not request 'always: true' and does not attempt to change other skills' configs. It does write its own client_id under ~/.config/nemovideo/ which is normal for an integration storing client metadata. Autonomous invocation is enabled by default (not flagged here) but combined with the registry/metadata mismatch it increases the importance of verifying the skill's origin.
Scan Findings in Context
[no_scan_findings] expected: The package is instruction-only and the regex scanner had no code files to analyze. The primary security signals come from SKILL.md itself (it declares NEMO_TOKEN and config paths).
What to consider before installing
This skill appears to be a legit integration with the NemoVideo API, but there are important mismatches and behaviors to check before installing: 1) The SKILL.md requires an API token (NEMO_TOKEN) and writes a client_id to ~/.config/nemovideo/, yet the registry metadata incorrectly lists no required env vars or config paths — verify which is accurate with the publisher before proceeding. 2) The skill will call https://mega-api-prod.nemovideo.ai and may upload user video content; review NemoVideo's privacy policy and confirm where media and generated content are stored and who can access it. 3) If you don't want persistent client metadata, ask whether the client_id file will be created and whether tokens are persisted beyond the session; consider running the skill in a sandboxed account or container. 4) Because the SKILL.md references a session creation step (§3.0) that is truncated here, request the full SKILL.md or the repository (https://github.com/nemovideo/nemovideo_skills) to inspect exactly what is sent to the API. 5) If you decide to proceed, prefer using an anonymous token (as described) rather than reusing sensitive credentials; ensure you can revoke tokens later. If you cannot verify the publisher or the truncated session behavior, treat the skill with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97296pk2wsr8j1k8k2qh54t6d83rc5w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments