ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hair Colorist Video — Before and After Color Transformations, Balayage Portfolio, and Salon Color Marketing Videos

v1.0.0

A new client found your Instagram last Tuesday. She spent eleven minutes scrolling your grid — looking for one thing: proof that you could do what she needed...

0· 32·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to generate short-form salon videos and requests a single API token (NEMO_TOKEN), which is coherent for a third-party video-generation service. However, the SKILL.md embeds apiDomain pointing to a 'mega-api-dev.nemovideo.ai' (a dev-like hostname) and the SKILL.md metadata lists a config path (~/.config/nemovideo/) even though the registry summary reported no required config paths — this mismatch is unexpected and should be clarified.
Instruction Scope
The instructions request the user provide before/after photos, in-process shots, or short clips and imply those will be sent to the external API for sequencing/processing. That data transfer is consistent with the purpose, but it means client photos/videos (sensitive personal data) will be transmitted off-device to the external service — the SKILL.md does not show explicit privacy/consent or retention/usage policies, so the agent user should confirm where and how media are stored and processed by the API.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is no additional code downloaded or executed locally by the skill itself. That lowers install-time risk.
!
Credentials
The single required environment variable, NEMO_TOKEN, is plausible and proportional for authenticating to a video-processing API. However, the SKILL.md's metadata also declares a config path (~/.config/nemovideo/) while the registry 'Requirements' block reported no required config paths, creating an inconsistency that could indicate the skill expects local credentials/config files not visible in the registry summary. Confirm whether the skill will read local config files and what they contain before installing.
Persistence & Privilege
The skill does not request 'always' presence and allows normal model invocation behavior. It does not appear to modify other skills or system-wide settings (no install spec).
What to consider before installing
This skill appears to do what it says (package salon photos into short marketing videos) and only asks for one token (NEMO_TOKEN), which is reasonable for an external video API. Before installing, confirm: 1) the apiDomain (mega-api-dev.nemovideo.ai) is a legitimate production endpoint you trust — the 'dev' hostname is suspicious; 2) whether the skill will read any local config files (the SKILL.md metadata references ~/.config/nemovideo/) and what those files contain; 3) how uploaded client photos/videos are stored, retained, and shared by the remote service (privacy/consent); and 4) whether the NEMO_TOKEN can be scoped/revoked and what permissions it grants. If you can't verify the API operator or the data-retention/privacy practices, treat this skill as higher risk and avoid sending real client images until clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk971k38vbkhhqr11s7rerg92ad83zvnp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments