ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Motorcycle Dealer Promo Video

v1.0.0

Motorcycle dealerships that publish inventory showcase and lifestyle videos generate 4x more qualified showroom visits than dealers relying on static listing...

0· 23·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to produce marketing videos (reasonable for a video-service integration). However the registry metadata requires NEMO_TOKEN and a config path (~/.config/nemovideo/) even though the SKILL.md contains no instructions that mention calling an external Nemo service, using that token, or reading that config. Requiring a service token and config directory is plausible for a video-export API, but the lack of any explanation is an incoherence.
!
Instruction Scope
The SKILL.md is high-level and vague ('Specify your brand lineup and target rider profile...'). It does not enumerate the exact runtime actions, files accessed, endpoints contacted, or what context the agent should gather. Vague, open-ended instructions give the agent broad discretion to collect unspecified data (potentially including user files or environment values) unless constrained elsewhere.
Install Mechanism
This is instruction-only with no install spec and no code files, which minimizes disk-write and supply-chain risk. No downloads or package installs are requested.
!
Credentials
The skill requires a single credential NEMO_TOKEN (declared as primaryEnv) and a config path. A single API token for a third‑party video service can be reasonable, but the SKILL.md does not justify it or describe token usage, storage, or scope. The presence of a config path suggests access to a user config directory; that should be justified and scoped but currently is not.
Persistence & Privilege
The skill is not always-enabled and has default invocation settings (agent may call it autonomously), which is normal. The skill does not request system-wide changes, nor does it claim to modify other skills or global agent configuration.
What to consider before installing
This skill might be legitimate, but important details are missing. Before installing, ask the publisher these questions: (1) What is NEMO_TOKEN (which service) and what exact API calls will the skill make? (2) Why does it need access to ~/.config/nemovideo/ and what files will it read/write? (3) Where will uploaded media and metadata be sent/stored and who can access it? (4) Will the token be stored persistently and with what scope/permissions? If you can't get answers and the token would be a long‑lived secret for an external account, avoid installing or provide a scoped/test token in a sandbox. Prefer a skill that documents exact runtime behavior, endpoints, and data handling or that provides source/homepage for review.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bmqyntwcebt1mh46wxqe6vn848fqt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏍️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments