Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Youtube Monetization Video
v1.0.1Create YouTube videos optimized for maximum ad revenue — structure content for mid-roll retention, target high-CPM topics, design click-worthy thumbnails, an...
⭐ 0· 58·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated goal (structure scripts, thumbnails, titles, content calendars) is coherent with an instruction-only assistant that calls an external service. However the registry metadata and the SKILL.md disagree: the registry listed no required env vars or config paths, while SKILL.md metadata includes a primaryEnv (NEMO_TOKEN) and a config path (~/.config/nemovideo/). That mismatch is unexplained and reduces confidence that the declared requirements match actual behavior.
Instruction Scope
The instructions ask the user to 'share channel data' and describe analyses (mid-roll placement, CPM targeting, thumbnail generation). They do not explicitly instruct reading unrelated local files or system secrets in the visible excerpt. But the SKILL.md does not clearly state how it obtains analytics (user paste vs. Google/YouTube OAuth) or when/why it would access ~/.config/nemovideo/, leaving ambiguity about the scope of data collected and transmitted to the external service.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself. That reduces install-supply-chain risk.
Credentials
The skill declares a primary credential NEMO_TOKEN (implying use of the nemovideo service), but the registry summary initially listed no required env vars, creating an inconsistency. Requesting a service token is plausible for calling nemovideo.com, but it's not clear why YouTube/Google OAuth credentials are not declared if the skill will read analytics directly. Also the listed config path (~/.config/nemovideo/) could allow reading local files; it's not justified in the instructions. Asking for a token that can be used by the skill to send channel analytics off-device is a proportionality concern that should be documented.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It can run autonomously (default), so if you grant the NEMO_TOKEN the agent could call external APIs on its own. That is normal for skills, but combined with the unclear credential/config usage it increases the potential blast radius.
What to consider before installing
Before installing: 1) Ask the skill author to explain why SKILL.md declares NEMO_TOKEN and a config path while the registry shows no required env vars—get a clear list of exactly which credentials the skill needs and why. 2) Confirm how channel analytics are supplied (manual pasted CSV vs. the agent using Google/YouTube OAuth). Never hand over your Google/YouTube credentials unless you understand and trust the service and its OAuth scopes. 3) If asked to provide a NEMO_TOKEN, verify what that token grants (what API calls it allows, how long it lives, and the vendor's data retention/privacy policy). 4) Ask whether the skill will read ~/.config/nemovideo/ or any other local files; if so, request minimal-scoped alternatives (upload only the specific analytics data needed). 5) Consider testing on non-sensitive data or a dummy channel first. The main issues are metadata inconsistencies and unclear data flows—not an immediate indicator of malware, but enough uncertainty that you should get clarifications before proceeding.Like a lobster shell, security has layers — review code before you run it.
latestvk97aq8b0rg2skxr1c94azpyyk983t9tz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📈 Clawdis
Primary envNEMO_TOKEN