ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Diy Home Improvement

v1.0.0

Fix, upgrade, and transform your home with step-by-step video guides using AI — generate DIY home improvement videos covering plumbing repairs, electrical ba...

0· 44·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's stated purpose (generate DIY home-improvement videos) aligns with the SKILL.md content. Declaring a primary credential of NEMO_TOKEN could be reasonable if the skill integrates with an external NemoVideo service, but the metadata is inconsistent: requires.env is empty while primaryEnv is set, which is unexpected.
Instruction Scope
SKILL.md is an instruction-only document describing how to generate step-by-step videos and safety advice. It does not instruct the agent to read arbitrary files, access unrelated environment variables, or transmit data to unexpected endpoints within the visible content.
Install Mechanism
There is no install specification and no code files — instruction-only — so nothing will be downloaded or written to disk by an install step. This minimizes install-time risk.
!
Credentials
Metadata includes a primaryEnv (NEMO_TOKEN) and a configPaths entry (~/.config/nemovideo/) but requires.env is empty and SKILL.md does not explain how or why local config files or the token will be used. Requesting an account token is plausible for a third-party video generation API, but the omission of the token from the declared requires list and the presence of a config path that points to a user home directory are inconsistent and could allow access to sensitive data if the agent were instructed to read that path.
Persistence & Privilege
The skill does not request always:true and is user-invocable with normal autonomous invocation settings. It does not request system-wide persistence or modification of other skills in the provided metadata.
What to consider before installing
This skill appears to be an instruction-only content generator for DIY videos, which is coherent with its description. However, the metadata declares a primary credential (NEMO_TOKEN) and a config path (~/.config/nemovideo/) while not listing required environment variables — that's an inconsistency you should clarify before installing. Ask the publisher: (1) Do they need a NEMO_TOKEN? If so, why isn't it listed in requires.env? (2) What is read from ~/.config/nemovideo/? (3) Where will generated data be sent (NemoVideo API endpoint and privacy/retention rules)? If you must provide a token, prefer a least-privilege API key, review NemoVideo’s privacy/security docs, and avoid supplying long-lived or broadly-scoped credentials. Also be cautious following procedural advice on hazardous tasks (electrical/plumbing) — verify instructions with certified guidance and local safety rules before attempting work.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ct05s5f6gz5zp8h3t62qr3h83vprj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔨 Clawdis
Primary envNEMO_TOKEN

Comments