ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sales Training Video — AI Video Creator for Sales Enablement, SDR Coaching, Cold Calling Practice, and Revenue Team Development

v2.0.0

Marcus had been on the sales floor for nine months. His product knowledge was solid, his pipeline was full, and he still closed less than half of what the re...

0· 47·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Requesting a NEMO_TOKEN and a nemovideo config path is consistent with a third‑party video-generation service, but the registry metadata summary lists no required env vars while SKILL.md metadata specifies primaryEnv: NEMO_TOKEN and a config path (~/.config/nemovideo/). That metadata mismatch is incoherent and should be clarified.
!
Instruction Scope
The SKILL.md asks users to 'share call recordings, pitch decks, top rep cheat sheet' and promises to 'extract winning patterns' and export modules, but contains no concrete runtime steps, no explicit API endpoints, and no rules about how uploaded recordings are accessed, stored, or transmitted. The instructions are vague and grant broad discretion to the agent to handle sensitive audio/files, which is scope creep relative to a narrowly defined video-generation helper.
Install Mechanism
This is instruction-only with no install spec or downloadable artifacts, so nothing will be written to disk by an installer. That keeps the install risk low.
Credentials
Requesting a single service token (NEMO_TOKEN) is proportionate for an external video API, but the registry metadata inconsistency (no required env vars vs primaryEnv present) and the requirement to access ~/.config/nemovideo/ should be justified. Access to a config directory could expose other local data if the path is not strictly scoped to the skill's own files.
Persistence & Privilege
always:false (default) and no install means the skill does not request persistent/system-wide privilege. The skill can be invoked by the agent (normal behavior) but it does not escalate presence or change other skills' configs.
What to consider before installing
Before installing: verify the service/provider (there's no homepage or vendor info), and ask the author to clarify where audio/files are uploaded, which API endpoints are contacted, how long user data is retained, and whether uploads are encrypted. Confirm that NEMO_TOKEN is truly needed and understand why the skill needs access to ~/.config/nemovideo/. Avoid sending unredacted call recordings containing PII until you’ve confirmed privacy/retention policy and the exact data flow. The SKILL.md is vague about runtime behavior and data handling—get explicit details (API host, OAuth/client flow, scopes) and prefer a skill with a verifiable homepage or source before granting credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk971ywxrjeetrc6nveb2fnxb0983zfqk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Primary envNEMO_TOKEN

Comments