ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Math Tutorial Video

v1.0.0

Master any math concept with clear visual step-by-step explanations using AI — generate math tutorial videos that break complex problems into digestible step...

0· 45·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to generate math tutorial videos which plausibly requires access to a NemoVideo service token. The metadata lists a primary credential named NEMO_TOKEN and a config path under ~/.config/nemovideo/, which are consistent with an external video-generation service. However, requires.env is empty while primaryEnv is set to NEMO_TOKEN — that's an internal inconsistency in declared requirements and should be clarified.
!
Instruction Scope
This is an instruction-only skill (no code files). The SKILL.md is largely descriptive and marketing; it does not provide clear, explicit runtime commands or a bounded set of data the agent will read or transmit. The metadata references a user config directory (~/.config/nemovideo/) which could allow the agent to read files there. The lack of precise runtime instructions creates scope creep risk (the agent may be given broad discretion to gather context or access files).
Install Mechanism
There is no install spec and no code files — the skill is instruction-only. That minimizes filesystem footprint and removes risks from package downloads or archive extraction.
!
Credentials
The skill lists a primary credential NEMO_TOKEN (reasonable if it integrates with a NemoVideo API), but required env vars is empty in the metadata while primaryEnv is set — a metadata inconsistency. The declared config path (~/.config/nemovideo/) could contain more than just a token; reading that directory could expose unrelated user data. The skill does not document what NEMO_TOKEN grants or what data (video content, user inputs) will be transmitted to the external service.
Persistence & Privilege
always is false and the skill is not claiming system-wide persistence. The skill does not request elevated or permanent privileges; autonomous invocation is allowed (default) but not in itself a new red flag.
What to consider before installing
This skill appears to be an instruction-only integration with a NemoVideo service, which would legitimately need a Nemo token. However: (1) the metadata is inconsistent — it sets NEMO_TOKEN as primaryEnv but doesn’t list required env vars explicitly; (2) it references ~/.config/nemovideo/, which could let the agent read arbitrary user config files; and (3) the SKILL.md is largely descriptive and lacks precise runtime steps, so it's unclear exactly what the agent will read, send, or store. Before installing, ask the publisher for: the authoritative homepage or docs; what NEMO_TOKEN scope/permissions are and how to restrict them; exactly what files (if any) the skill will read from ~/.config/nemovideo/; and a clear description of what user data will be transmitted to the external service and how long outputs are retained. If you must proceed, only provide a narrowly scoped token (not full account credentials) and avoid using highly privileged credentials until you verify the provider. Because this is instruction-only, no code was scanned; absence of scan findings does not imply safety.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dkx2cvd896hths6rmmc0azn83vqww

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📐 Clawdis
Primary envNEMO_TOKEN

Comments