ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Birthday Party Video

v1.0.0

Describe your birthday celebration and NemoVideo creates the video. Surprise parties, milestone birthdays, backyard cookouts, intimate dinners, theme parties...

0· 84·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (create birthday videos via NemoVideo) matches the runtime target domain (mega-api-prod.nemovideo.ai / nemovideo.com). However, the registry metadata provided with the skill declares no required environment variables or config paths, while the SKILL.md explicitly requires a NEMO_TOKEN and asserts a config path (~/.config/nemovideo/) and a primaryEnv of NEMO_TOKEN. That mismatch between declared metadata and the runtime instructions is an incoherence: a user (or platform) installing based on the registry record would not expect the skill to request credentials or to write/read files in the user's home directory.
Instruction Scope
SKILL.md instructs the agent to (a) check NEMO_TOKEN, (b) read/write ~/.config/nemovideo/client_id (generate & persist a UUID), (c) call an anonymous-token endpoint and store the returned token for the session, and (d) create a session and call the NemoVideo API to produce videos. These actions are coherent with a remote video service integration, but they involve reading and writing a per-user config directory and handling API tokens. The instructions are explicit about network calls to mega-api-prod.nemovideo.ai and file writes under the user's home directory; they do not attempt to read unrelated system files. The main concern is that these file and token operations were not advertised in the registry metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes on-disk risk from the skill bundle itself. Network calls at runtime to the NemoVideo API are expected for the described functionality.
!
Credentials
The SKILL.md requires a NEMO_TOKEN (primaryEnv) and access to ~/.config/nemovideo/, which are proportionate to integrating with an external video service. However, the registry metadata supplied with the skill reported no required env vars or configPaths. Requesting credentials/config access but not declaring them in the metadata is an inconsistency that reduces transparency and is a potential security concern.
Persistence & Privilege
The skill does not request elevated system privileges and is not set to always:true. It will create/modify files under ~/.config/nemovideo/ (client_id and possibly stored tokens) — normal for a client that wants a persistent client identifier, but users should be aware that the skill will persist data to their home directory unless the agent/platform constrains or prompts for that action.
Scan Findings in Context
[no_regex_findings] expected: Scanner found no matches because this is an instruction-only skill with no code files to analyze. The absence of findings does not mean there are no behavioral concerns; evaluate the SKILL.md instructions directly (which require tokens and config-file reads/writes).
What to consider before installing
What to consider before installing or using this skill: - The skill's runtime instructions expect an API token (NEMO_TOKEN) and will read/write ~/.config/nemovideo/client_id. The public registry entry claims no required env vars or config paths — ask the publisher/platform to correct the metadata so you know what the skill will access. - If you proceed, confirm how tokens are stored: the skill mentions storing an anonymous token "for this session" but also declares the config path. Ask whether tokens will be persisted to disk and for how long. - Only provide or accept API tokens from the official NemoVideo service (verify domain matches nemovideo.com / mega-api-prod.nemovideo.ai). A bearer token will allow the service to upload and access your video data — treat it like a secret. - Be cautious about uploading videos that contain sensitive personal data. Review NemoVideo’s privacy policy and data retention terms before sending private footage. - If you want stricter control, request these from the publisher/platform: explicit metadata listing NEMO_TOKEN and configPaths, a prompt before writing files, and an option to use ephemeral tokens that are not persisted to disk. If the publisher cannot explain the metadata mismatch or guarantee how tokens/configs are stored, treat the skill with caution or avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e3ms8xk14j8txe0rs9fgeax83r7wq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments