ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Api Documentation Video

v1.0.0

A developer finds your API in a search result, lands on the documentation page, and starts reading. The endpoint reference looks complete. The authentication...

0· 9·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description claim to produce tutorial videos demonstrating auth flows and real API calls. As an instruction-only skill that asks the user to 'Describe the API', this is plausible as a content-generation/template assistant. However the manifest contains a single apiDomain (https://mega-api-dev.nemovideo.ai) even though the skill declares no required credentials, no install, and no explanation of how video generation or API calls are executed — a modest mismatch that should be explained by the author.
Instruction Scope
SKILL.md is high-level and does not contain concrete runtime commands, file reads, or env var access. That reduces direct filesystem/network risk, but the instructions are open-ended ('Describe the API...') which grants the agent broad discretion to request or collect whatever context it needs; there are no constraints or explicit safe-handling rules for sensitive data such as API keys. The presence of an apiDomain in the header suggests an external endpoint could be used, but the doc never specifies what to send there.
Install Mechanism
No install spec, no code files, and no binaries required. Instruction-only skills that don't write to disk or fetch archives are lower-risk from an install perspective.
Credentials
The skill declares no required environment variables or credentials. That is coherent for a template/authoring assistant, but inconsistent with the stated functionality of demonstrably exercising an API (which typically requires credentials). Additionally, the YAML header includes apiDomain pointing to an external domain (nemovideo.ai) with no explanation of its role — if the skill or an agent were to send API endpoints, example payloads, or secrets to that domain, that would be disproportionate to what is declared.
Persistence & Privilege
always is false and there are no install-time hooks or persistent components. Autonomous invocation is allowed by default (not a problem alone). The skill does not request persistent presence or elevated agent-wide configuration changes.
What to consider before installing
This skill is a high-level content/template authoring tool, not an implementation with clear runtime steps. Before installing or using it, ask the publisher: (1) What does the apiDomain in the header do? Where are video rendering and any API calls executed? (2) How should API credentials be provided and handled (ephemeral input only, never stored or forwarded)? (3) Will any user-supplied API endpoints, example payloads, or secrets be transmitted to third parties (and if so, which ones and why)? If the author cannot explain where data is sent and how secrets are protected, avoid giving real API keys or sensitive data and prefer a workflow that uses local, ephemeral mocks or sanitized examples.

Like a lobster shell, security has layers — review code before you run it.

latestvk971jxj58yh996gksxd9xtbk55849hpt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments