ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Compliance Training Video Maker — Create OSHA, HIPAA, DEI, Code of Conduct, and Regulatory Compliance Videos for Any Industry

v1.0.0

Every year, companies lose an average of $14 million in compliance penalties, settlements, and remediation costs — not because their policies were wrong, but...

0· 36·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description match a video-generation service; requesting a single API token (NEMO_TOKEN) could be reasonable for a third‑party video API. However, the registry metadata and the SKILL.md disagree about required config paths and env vars (registry lists none; SKILL.md metadata lists primaryEnv=NEMO_TOKEN and configPaths=['~/.config/nemovideo/']). That inconsistency should be resolved.
!
Instruction Scope
The runtime instructions are high-level (ask the user for policies, build scenario content, export SCORM/MP4). They do not describe any use of an API token or the ~/.config/nemovideo/ path, yet the skill metadata declares those. Because the SKILL.md gives the agent no concrete, limited steps for accessing credentials or local config, there's a gap between declared capabilities and actual instructions.
Install Mechanism
There is no install spec and no code files (instruction-only), so nothing will be written to disk by an installer. This is the lowest install risk, but it increases reliance on metadata correctness because no code is present to justify requested accesses.
!
Credentials
The skill declares a primary credential named NEMO_TOKEN and (in SKILL.md metadata) a config path ~./config/nemovideo/. A single service token is plausible, but requesting an entire config directory in the user's home can expose other secrets. Also, the registry summary lists 'required env vars: none' while the SKILL.md metadata names a primaryEnv — this mismatch is suspicious and should be clarified.
Persistence & Privilege
The skill is not marked always:true and uses default autonomous invocation settings. It does not request persistent installation or modification of other skills. No elevated persistence privileges are declared.
What to consider before installing
This skill could be legitimate, but there are gaps you should resolve before installing: (1) Ask the publisher what NEMO_TOKEN is (which service, exact permissions/scopes, where tokens are stored) and whether a scoped/ephemeral token can be used. (2) Ask why the skill needs access to ~/.config/nemovideo/ and what files within that directory will be read — avoid granting access to broad config directories that may contain unrelated secrets. (3) Because the registry lists no homepage or source, request API documentation or a vendor page so you can verify the external service. (4) If you must test it, run it with a minimally privileged test account/token and in a sandboxed environment; do not provide organization-wide credentials or tokens that grant access to unrelated services. (5) If the publisher cannot explain the discrepancies between the SKILL.md metadata and the registry listing, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk979gf8zb8jh71hj0rfax3qm4183wa6e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⚖️ Clawdis
Primary envNEMO_TOKEN

Comments