ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Montessori School Video — Marketing and Enrollment Videos for Montessori Programs, AMI and AMS Schools, and Child-Led Learning Centers

v1.0.0

Picture a parent who has spent three months reading about Montessori education — the uninterrupted work cycles, the mixed-age classrooms, the child-led curri...

0· 34·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description promise a video package for Montessori schools and that matches the SKILL.md use-cases. However, the metadata declares a primary credential (NEMO_TOKEN) and a config path (~/.config/nemovideo/) while the visible instructions never mention the Nemovideo service, the token, or any API—an unexplained dependency that could be legitimate (an external rendering/upload service) but is not documented in the instructions.
!
Instruction Scope
The SKILL.md asks users to 'provide' footage, photos, and bios but gives no concrete, bounded instructions about whether the agent will ask for file uploads, read local files, or send content to an external endpoint. The instructions are open-ended, granting the agent broad discretion over handling of media and metadata; they do not specify destinations, retention, or required consent for images of children.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing will be written to disk or downloaded at install time — lowest install risk.
!
Credentials
Only one credential is listed (primaryEnv NEMO_TOKEN), which could be proportionate for a video service. But requires.env is empty in the manifest and the SKILL.md never explains why the token or the ~/.config/nemovideo/ path are needed. Requesting a config directory (which may contain other sensitive tokens or keys) without documenting its purpose is disproportionate until clarified.
Persistence & Privilege
The skill does not request always:true, has no install-time persistence, and does not declare system-wide changes. Autonomous invocation is allowed (default) but that is normal and not by itself a problem.
What to consider before installing
Before installing or using this skill, ask the publisher (or the person who provided the skill) for clear answers: 1) What is NEMO_TOKEN? Which service/account does it belong to and what API scopes does it grant? 2) Why does the skill need access to ~/.config/nemovideo/? What files will be read or written there? 3) Exactly where will uploaded photos/videos be sent and how long will they be stored? Who can access them? 4) Is there a privacy/data-processing policy covering images of children (consent, retention, sharing)? 5) Provide documentation or a homepage and a contact for support; if none exists, treat the credential request as higher risk. If you decide to proceed, prefer creating a limited-scope token, test with non-sensitive demo media, and do not provide system-wide credentials or unrelated config directories until these questions are answered.

Like a lobster shell, security has layers — review code before you run it.

latestvk97796wz7j9af3rjhqs4hcfyxd84178p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌱 Clawdis
Primary envNEMO_TOKEN

Comments