ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Supply Chain Explainer Video

v1.0.0

Your supply chain consulting firm just won a contract to redesign the procurement and fulfillment process for a mid-market retailer — and your kickoff presen...

0· 21·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (create explainer videos) aligns with the single required credential (NEMO_TOKEN) and the provided curl example that calls a nemovideo API. However, SKILL.md metadata declares a config path (~/.config/nemovideo/) while the registry metadata shown above lists no required config paths — this mismatch should be clarified.
!
Instruction Scope
SKILL.md is instruction-only and explicitly instructs the agent to POST user-provided process details and goals to https://mega-api-prod.nemovideo.ai/api/v1/generate with Authorization: Bearer $NEMO_TOKEN. That is expected for a cloud video service, but it also means potentially sensitive procurement/financial/process data will be sent to a third party. The instructions do not attempt to read other local files or extra environment variables, which is good, but the data‑exfiltration risk (sending confidential business info) is real and should be considered.
Install Mechanism
No install spec and no code files — lowest risk for installation. The skill is instruction-only and therefore does not write code to disk during install.
Credentials
Only one env var is required (NEMO_TOKEN) and it's used directly in the provided curl example, which is proportionate for a cloud API. The SKILL.md metadata references a config path (~/.config/nemovideo/) not reflected in the registry metadata — this inconsistency should be resolved. No unrelated credentials are requested.
Persistence & Privilege
always:false and default autonomous invocation settings (disable-model-invocation:false) — the skill can be invoked by the agent but is not force-included. This is typical; no elevated or persistent privileges are requested.
What to consider before installing
This skill appears to call an external NEMO video-generation API using your NEMO_TOKEN. Before installing: 1) Confirm the API domain (mega-api-prod.nemovideo.ai) and the vendor identity/terms/privacy — ensure you trust them with potentially confidential procurement and financial data. 2) Clarify the metadata mismatch about ~/.config/nemovideo/ (registry vs SKILL.md). 3) Only provide a token scoped appropriately (least privilege) and avoid sending highly sensitive PII or secrets in API payloads. 4) Consider using test data for initial runs and rotate/revoke the token if you suspect misuse. 5) If you need stronger guarantees, ask the publisher for an official homepage, documentation, or a privacy/security SLA before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk970gfrp0xaj27rsktx3x6qkss848zyp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⛓️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments