ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Catering Company Video — AI Marketing Videos for Catering Services and Food Businesses

v1.0.0

The venue coordinator at the hotel has three catering companies she refers to engaged couples, corporate event planners, and conference organizers — and the...

0· 36·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to produce marketing videos for caterers (reasonable). However, the registry metadata declares a primary credential NEMO_TOKEN and a config path (~/.config/nemovideo/) while the SKILL.md never mentions Nemo or any external API. Requiring a token and local config is not justified by the prose alone.
Instruction Scope
SKILL.md is instruction-only and asks users to describe their catering operation and desired video. It does not instruct the agent to read files, environment variables, or contact specific external endpoints. The instructions are high-level and vague about implementation details (how videos are generated, where assets are uploaded, what service is used).
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes disk/write risk. There are no downloaded artifacts or package installs to review.
!
Credentials
metadata declares a primary credential NEMO_TOKEN and a config path under ~/.config/nemovideo/, but requires.env is empty and SKILL.md never explains why a token or local config is needed. Asking for a credential and local config access without justification is disproportionate to the stated purpose.
Persistence & Privilege
always:false and normal autonomy settings. The skill does not request permanent inclusion or system-wide configuration changes.
What to consider before installing
This skill's user-facing instructions are just high-level prompts, but the metadata claims a primary credential (NEMO_TOKEN) and a local config path (~/.config/nemovideo/) that are not mentioned anywhere in the runtime instructions. Before installing or supplying any secret: ask the publisher what NEMO_TOKEN is (which service, what endpoints it accesses, and what permissions it grants), why the local config path is needed, and where generated videos and uploaded assets will be stored/transmitted. If you must provide a token, prefer a scoped, revocable API key with minimal permissions and test on non-sensitive data first. If the vendor cannot explain why a local config or token is required, treat the request as unnecessary and avoid supplying credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97603yyxegj7b631pr10hd5js83wbnv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🍽️ Clawdis
Primary envNEMO_TOKEN

Comments