ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Travel Agency Promo Video

v1.0.0

Travel agencies and tour operators that publish destination inspiration and package showcase videos generate 5x more qualified booking inquiries than agencie...

0· 23·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description claim automated creation and export of marketing videos, but there is no code, no install, no required binaries, and no concrete runtime steps for producing video. The single required credential (NEMO_TOKEN) could plausibly map to an external video API, but the SKILL.md provides no explanation of what NEMO is, what API calls will be made, or why a token is required. Overall the requested surface (a token and a possible config path) is not clearly justified by the prose.
!
Instruction Scope
SKILL.md is high-level marketing and use-cases only; it lacks any runtime instructions, commands, endpoints, or data flows. It doesn't show how the agent should use NEMO_TOKEN, what files (if any) are read/written, or where generated content is uploaded. The metadata inside the SKILL.md references a config path (~/.config/nemovideo/) but the registry metadata reported no required config paths — an internal inconsistency.
Install Mechanism
No install spec and no code files (instruction-only). That minimizes direct disk-write or arbitrary-download risk, but also means the skill as provided cannot by itself perform video generation — it would need platform-side integration with an external service.
Credentials
The skill requests one env var (NEMO_TOKEN) as primary credential, which is reasonable if it calls an external video API. However, the SKILL.md does not document what token scope is required, where it will be sent, or whether any other credentials/config are accessed. The presence of a config path in the embedded metadata (but not in the registry listing) increases uncertainty about possible filesystem access.
Persistence & Privilege
The skill does not request always:true and has no install; it does not ask for persistent system modifications. Autonomous invocation is enabled by default (normal), which combined with the other uncertainties increases potential blast radius but is not by itself a disqualifying issue.
What to consider before installing
This package is mostly marketing text and lacks concrete runtime behavior. Before installing or providing credentials: 1) Ask the maintainer to supply exact runtime instructions (API endpoints, sample requests, what data is sent, and where outputs are stored). 2) Confirm why NEMO_TOKEN is needed, what scope/permissions it requires, and whether a scoped/test token can be used. 3) Clarify whether ~/.config/nemovideo/ is required and what files it contains or reads. 4) Prefer creating a least-privilege token and test in a sandbox account. 5) If you cannot obtain clear, specific documentation of the data flow and token usage, avoid supplying production credentials — treat this skill as incomplete or poorly documented rather than ready for production use.

Like a lobster shell, security has layers — review code before you run it.

latestvk971q2w0dj6eq4sqkcd5j3qyj5849yh2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✈️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments