ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Podcast Video Maker

v3.0.1

Create engaging podcast video content with AI-powered audio-visual production for all platforms.

0· 145·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (produce podcast videos) is consistent with calling an external AI video API. Requiring an API token for NemoVideo would be proportionate for that purpose. However, the SKILL.md metadata includes primaryEnv: NEMO_TOKEN and a configPaths entry (~/.config/nemovideo/), while the registry summary for the skill reported no required env vars or config paths — an internal inconsistency.
!
Instruction Scope
SKILL.md provides a curl example that sends requests to an external API with a Bearer token. The runtime instructions do not explicitly tell the agent how to obtain the token, but SKILL.md metadata implies it will use NEMO_TOKEN or a config path. The instructions do not request other local files, but the implied use of a home config directory is not documented in the registry and is therefore a scope ambiguity that should be clarified.
Install Mechanism
No install spec and no code files are present (instruction-only), so nothing will be written to disk or installed by the skill itself — lowest install risk.
!
Credentials
The SKILL.md metadata declares a primaryEnv (NEMO_TOKEN) and a config path under the user's home directory, which is reasonable for an API-backed service. But the registry metadata reported no required environment variables or config paths. That mismatch is concerning: the skill will likely need a token (and/or read a config file) even though the registry says it doesn't, so you could be prompted to provide credentials unexpectedly.
Persistence & Privilege
The skill is not marked always:true and has no install step that would persist code or alter other skills' configuration. It does not request elevated platform privileges in the manifest.
What to consider before installing
This skill appears to call NemoVideo's API and needs an API token, but the registry metadata contradicts the SKILL.md. Before installing or providing credentials: (1) verify the skill's provenance (check the official NemoVideo homepage and repository links), (2) confirm whether and how it expects you to supply NEMO_TOKEN (environment variable vs. config file), (3) avoid giving long-lived or privileged credentials — use a scoped/throwaway token if possible, (4) do not upload sensitive audio/video until you trust the service, and (5) ask the publisher to fix the manifest mismatch so required credentials and config paths are explicit.

Like a lobster shell, security has layers — review code before you run it.

latestvk9739emktzfat1psvrjb7n1b5583w58r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments