ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Party Planning Service Video — AI Marketing Videos for Event Planners and Party Coordinators

v1.0.0

You planned 47 events last year. You have a portfolio that would make a client cry with excitement — and your Google listing has two reviews and a stock phot...

0· 39·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to generate marketing videos from event photos — that reasonably requires an API token (NEMO_TOKEN) to call a service. However the metadata also lists a local config path (~/.config/nemovideo/) while the declared env list is empty and primaryEnv is NEMO_TOKEN, a small internal inconsistency that wasn't explained in the instructions.
!
Instruction Scope
SKILL.md is mostly marketing copy and does not provide precise, constrained runtime instructions. The file references local artifacts (photos on desktop) but does not explicitly state how the agent should obtain them or whether it should scan user folders. The metadata's configPaths entry suggests the agent might read local config, but no justification or limits are provided — this open-endedness could permit broad filesystem access or data exfiltration.
Install Mechanism
This is instruction-only with no install spec and no code files, so nothing is written to disk by an installer. That minimizes installation risk.
!
Credentials
Requesting a primary credential NEMO_TOKEN is reasonable for a third-party video API, but the SKILL.md/metadata do not explain required token scopes, lifetime, or why a local config path is needed. A single API token with broad scopes plus vague instructions increases the risk of credential misuse or exfiltration.
Persistence & Privilege
always is false (good). The skill is allowed to be invoked autonomously (platform default). Autonomous invocation combined with an API token and unclear file-access rules increases blast radius — legitimate for convenience but worth caution.
What to consider before installing
Before installing, ask the skill author/provider: (1) Why does the skill declare ~/.config/nemovideo/ in configPaths and what exactly will it read there? (2) What scopes and lifetime does NEMO_TOKEN require (prefer short-lived, least-privilege tokens)? (3) How will you supply event photos — will the agent scan my filesystem automatically or will I upload selected files manually? (4) Will any data (photos, client names, testimonials) be sent to external servers, and what are retention/privacy policies? If you proceed, prefer creating a scoped, revocable token only for this skill; do not provide a broad personal or account-wide token; and monitor/rotate the token after first use. If the author can provide explicit runtime steps that limit file access (only user-selected uploads, no automatic scanning) and minimal token scopes, the risk would drop significantly.

Like a lobster shell, security has layers — review code before you run it.

latestvk975w9f1hjnx06q44dbj7m6cax83wvz1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎉 Clawdis
Primary envNEMO_TOKEN

Comments