ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Event Rental Company Video — AI Promo Videos for Party Rental and Event Equipment Businesses

v1.0.0

Event rental companies — tents, tables, chairs, linens, lighting, dance floors, photo booths — lose bookings every day to competitors who look bigger online....

0· 36·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to create promo/catalog videos from user-supplied photos and would legitimately need an API token (NEMO_TOKEN) to call a video-generation service. However, the SKILL.md includes metadata that references a config path (~/.config/nemovideo/), while the registry metadata earlier listed no required config paths; this inconsistency should be clarified.
Instruction Scope
SKILL.md (partial content shown) describes uploading assets and generating videos — that scope is appropriate. There is no evidence in the provided fragment that it instructs the agent to read unrelated system files or exfiltrate data, but the file is truncated so the full instruction set should be reviewed to confirm it only accesses user-provided assets and the NemoVideo service.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest risk from installation. Nothing is written to disk by an installer in the provided metadata.
Credentials
Requesting a single API credential (NEMO_TOKEN) is proportionate for a service that performs video generation. But the SKILL.md metadata lists a config path (~/.config/nemovideo/), and the registry metadata contradicted this by listing none; that raises a question about whether the skill will read files from that location (which could contain other secrets) or expects the token there. Clarify exactly which env vars/files the skill will access and whether the token is transmitted to an external endpoint.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent inclusion or other skills' configs. No indications it modifies system-wide agent settings from the provided data.
What to consider before installing
Before installing, ask the skill author to: (1) confirm exactly how NEMO_TOKEN is used (which endpoints, whether it's stored locally, and what scopes it grants); (2) explain why ~/.config/nemovideo/ is listed in the skill metadata (will the skill read from that folder?); (3) provide a privacy/data-retention policy for uploaded images and generated videos (where are assets uploaded, who can access them, how long are they stored); and (4) show the full SKILL.md/runtime instructions so you can verify the agent will only access the assets you intentionally provide and will not read other files or credentials. If you must proceed, prefer using a scoped API token that can be revoked and does not grant broader account access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fkpn4pzt57da0phbm3hyjcs83waxg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎪 Clawdis
Primary envNEMO_TOKEN

Comments