Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tire Shop Promo Video
v1.0.0Independent tire shops and auto service centers that publish educational and trust-building video content attract 2x more new customers than shops competing...
⭐ 0· 23·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to create and export marketing/education videos; requiring a single NEMO_TOKEN is plausible if it uses a third‑party video service named “Nemo”. However the registry metadata shown to you lists no config paths while the SKILL.md metadata declares a config path (~/.config/nemovideo/). That mismatch is unexplained and small but notable.
Instruction Scope
SKILL.md contains only high-level product copy and no concrete runtime instructions or API endpoints. The instructions are vague/open‑ended ('Specify your service focus and local market; Tire Shop Promo Video creates...') which gives the agent broad discretion. There are no explicit steps describing what the agent will read, write, or transmit beyond the implied use of NEMO_TOKEN and the config path in SKILL.md.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it will not drop packages or archives on disk. That reduces installation risk.
Credentials
Only NEMO_TOKEN is required and is declared as the primary credential — reasonable if the skill integrates with a 'Nemo' video API. However the SKILL.md metadata also lists a config path (~/.config/nemovideo/) which suggests the skill may read local config files; the registry summary earlier did not list required config paths. The exact privileges granted by NEMO_TOKEN (scope, lifetime) are unknown and should be confirmed before use.
Persistence & Privilege
The skill does not request always:true and uses default autonomous invocation settings. It does not ask to modify other skills or system-wide settings. No elevated persistence is declared.
What to consider before installing
The skill appears to be what it says (video creation) but has several red flags you should resolve before installing:
- Source and provenance: there is no homepage or source repository. Ask the publisher for a source URL, documentation, and a privacy/security policy.
- Token scope: ask what NEMO_TOKEN is and what permissions it grants. Prefer short‑lived or narrowly scoped tokens; never reuse high‑privilege credentials.
- Config path inconsistency: SKILL.md lists ~/.config/nemovideo/ but the registry summary did not. Ask whether the skill will read local config files and what data is stored there (API keys, personal data, etc.).
- Runtime behavior: request concrete runtime instructions or an API spec (endpoints called, data uploaded, and what is returned). Vague, open‑ended instructions give the agent broad discretion to access files or other data.
- Test safely: if you decide to try it, use a sandbox account or a token with minimal privileges and monitor network activity and the contents of ~/.config/nemovideo/.
If the publisher cannot clearly answer these questions, consider this skill suspicious and avoid providing long‑lived credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97805rbae4b6q1vfeheyz6pz98496ty
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔩 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN