ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Funeral Home Promo Video

v1.0.0

Funeral homes that publish compassionate video content on their websites and Google Business Profiles receive 40% more pre-planning inquiries than funeral ho...

0· 21·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's description (produce and export funeral-home promo videos) is consistent with requiring access to an external video service/API (NEMO_TOKEN). However, the SKILL.md metadata lists a config path (~/.config/nemovideo/) while the registry summary above says 'Required config paths: none' — that inconsistency should be resolved. The skill also claims exports to Google Business Profile but does not request any Google credentials, which is plausible if it only produces files for manual upload but should be clarified.
!
Instruction Scope
The SKILL.md is largely high-level marketing copy and does not include concrete runtime instructions. It does not state what the agent will do with NEMO_TOKEN, what files it will read or write, whether it will upload directly to external services, or what user inputs are required. This vagueness grants the agent broad discretion and increases risk because the actual actions are unspecified.
Install Mechanism
No install spec and no code files are present (instruction-only). That is lower-risk because nothing will be downloaded or written by an installer step. The skill therefore has minimal install-time attack surface.
Credentials
Only one environment variable (NEMO_TOKEN) is required which is proportionate if the skill integrates with a Nemo video API. However, the SKILL.md metadata indicates a config path (~/.config/nemovideo/) while registry metadata lists none — this mismatch is concerning. Clarify what the token grants (scope/permissions), what, if anything, is read from the config path, and whether the token can be scoped or revoked.
Persistence & Privilege
The skill is not 'always' enabled and uses the platform default allowing autonomous invocation. Autonomous invocation is normal; combined with a remote API token this raises the blast radius somewhat, but there is no evidence the skill requests elevated system privileges or attempts to modify other skills.
What to consider before installing
Before installing, ask the publisher for (1) documentation for 'NEMO_TOKEN' (what service issues it, exact scopes/permissions, and whether short-lived tokens are supported); (2) a clear runtime spec: what files/paths the skill reads or writes, whether it will upload videos automatically (and to which accounts), and what data is sent to external endpoints; (3) confirmation and explanation of the ~/.config/nemovideo/ config path (registry metadata currently disagrees). Do not provide long-lived or broad-scope credentials until you verify these points. If you must test, use a least-privilege test token in a sandbox account and review logs of any uploads or API calls.

Like a lobster shell, security has layers — review code before you run it.

latestvk9779ck0a6et0chzpq0r9v01j5848ydj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🕊️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments