ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pet Adoption Video

v1.0.4

Tired of manually piecing together shelter footage and struggling to write captions that actually move people to adopt? The pet-adoption-video skill helps re...

0· 69·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's declared purpose (produce adoption videos) aligns with the runtime instructions that call a cloud rendering API. Requested primary credential (NEMO_TOKEN) matches the API usage. However, the SKILL.md frontmatter declares a configPaths entry (~/.config/nemovideo/) that is not listed in the registry's reported 'Required config paths', creating an inconsistency about what filesystem access is expected. The skill has no homepage or known source, which reduces provenance.
Instruction Scope
Instructions consistently describe contacting mega-api-prod.nemovideo.ai, creating or using a NEMO_TOKEN, opening sessions, uploading files (multipart or URL), and streaming SSE for generation — all expected for a cloud video service. The skill also instructs the agent to detect its install path and read YAML frontmatter for attribution headers; this requires the agent to inspect its runtime/install environment (minor scope creep) but is consistent with the header requirements. The skill does not instruct access to unrelated system files or unrelated credentials.
Install Mechanism
No install spec and no code files (instruction-only). That minimizes disk installation risk; nothing is downloaded or executed locally by the skill itself.
Credentials
Only one environment variable (NEMO_TOKEN) is declared as required and it is used as a bearer token for the listed API — proportionate to a cloud service. Caveat: SKILL.md frontmatter also references a config path (~/.config/nemovideo/) not reflected in the registry metadata, which should be explained. The skill will upload user media and may generate an anonymous token on your behalf (100 credits, 7-day expiry) — understand token scope and lifetime before use.
Persistence & Privilege
always is false and there is no install step that requests persistent, elevated privileges. The skill asks to save a session_id for its own requests, which is normal. Autonomous invocation is allowed by default (not flagged alone).
What to consider before installing
This skill appears to do what it says (cloud-based video assembly) but will send your uploaded media and use a bearer token with a third-party API (mega-api-prod.nemovideo.ai). Before installing: confirm the service's reputation and privacy/retention policies; avoid uploading sensitive personal data; verify what the NEMO_TOKEN can access and prefer a scoped or short‑lived token (or use the anonymous token flow if acceptable); ask the publisher to explain the metadata mismatch about ~/.config/nemovideo/ and provide a homepage/source for provenance. If you can't verify the service, treat media uploads and tokens as potentially sensitive and proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk9766qf03hd9pdp9zs7dhxba5s84bqk1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐾 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments