ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Yoga Video Creator

v1.2.1

Yoga Video Creator — Record and Edit Yoga Class Videos with AI Flow Transitions. Your Saturday morning vinyasa had beautiful light streaming through the stud...

0· 138·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description describe uploading and AI-editing video files; requesting a single service token (NEMO_TOKEN) and calling an external API (nemovideo) is coherent for that purpose. However the SKILL.md metadata also lists a local config path (~/.config/nemovideo/) while the registry metadata earlier said required config paths: none — this mismatch is unexplained.
Instruction Scope
The SKILL.md is instruction-only and describes uploading full-class recordings for remote processing and exporting outputs. That implies the skill will transmit large, potentially sensitive video/audio files to the apiDomain (https://mega-api-prod.nemovideo.ai). The file-level instructions in SKILL.md are high-level (no exec commands), but sending user media to a third party is inherent to the described feature and should be explicit in privacy/retention docs.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes local installation risk (nothing is written/executed locally by an installer), though runtime will call an external API.
!
Credentials
The skill declares one primary env var (NEMO_TOKEN) which is appropriate for a hosted API. However SKILL.md metadata requests access to a local config path (~/.config/nemovideo/) that the registry listing did not; if the agent actually reads that path it could access user config or other secrets. The config-path mismatch is not justified in the description and warrants clarification.
Persistence & Privilege
always is false and there is no install step requesting permanent presence. The skill can be invoked autonomously (default), which is normal; nothing in the package requests higher-than-normal privileges.
What to consider before installing
This skill appears to do what it says (upload your class video to Nemovideo for AI editing) and only requires an API token (NEMO_TOKEN). Before installing: 1) Confirm you trust nemovideo.com and the apiDomain (https://mega-api-prod.nemovideo.ai). 2) Verify how the provider stores/retains/transmits uploaded videos (privacy, retention, access, backups). 3) Clarify the metadata mismatch: SKILL.md lists a config path (~/.config/nemovideo/) but the registry did not — ask whether the agent will read that folder and what it contains. 4) Limit token scope and consider using a short‑lived or scoped test token first. 5) Test with non-sensitive/sample videos before uploading real class recordings. If you cannot get clear answers about the config-path usage or data retention, treat the skill as higher risk and do not provide production credentials or sensitive media.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dh2xp9cqz9fnxwbmaeczpjn83x9zh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧘 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments