ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Maid Service Promo Video

v1.0.0

Residential cleaning services that publish professional marketing videos showing their cleaning process and results attract 3x more online booking inquiries...

0· 24·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (produce marketing videos for cleaning businesses) is coherent with a service that might call an external video generation/upload API. Requesting a NEMO_TOKEN could be reasonable if this integrates with a 'Nemo' video service. However, the SKILL.md contains no concrete API calls or examples showing why the token is needed, so the link between purpose and the requested credential is unproven.
!
Instruction Scope
SKILL.md is high-level marketing copy and does not include runtime instructions, API endpoints, command examples, or any mention of reading ~/.config/nemovideo/ or accessing NEMO_TOKEN. That absence is a red flag: the agent is being asked to supply a credential and a config path without any documented scope or justification for how they will be used or what data will be transmitted.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes installation risk because nothing will be downloaded or written to disk by an installer step.
!
Credentials
Only one environment variable (NEMO_TOKEN) is required, which could be proportionate for a single-service integration. But the skill provides no explanation of required token scopes, what endpoints it will contact, or why it needs the optional config path. The registry metadata also lists no config paths while SKILL.md metadata declares ~/.config/nemovideo/, an inconsistency that increases concern about unexpected file access.
Persistence & Privilege
The skill is not always-enabled and does not request persistent/system-wide changes. Autonomous invocation is allowed by default (platform behavior) but is not combined here with other high-risk privileges.
What to consider before installing
Before installing: ask the publisher for exact runtime details — which API endpoints are called, what data (video/audio or user content) will be uploaded, and what scopes the NEMO_TOKEN requires. Confirm why the config path ~/.config/nemovideo/ is needed (registry metadata previously listed no config paths). If you must provide a token, use a scoped/limited test token and a sandbox account, and plan to rotate/revoke it after testing. Prefer installing only after the author provides API docs or source code showing how the token and config are used; if the source/owner is unknown, exercise extra caution and avoid supplying high-privilege credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk976qf08s90tkf3gh543rzp9gs848sdq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏠 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments