ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fitness Video Editor

v1.0.0

Fitness content demands precise production: each exercise needs a visible label identifying the movement and target muscle group, rep counts displayed in rea...

0· 42·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (automatic editing of workout footage) reasonably explains needing an external service or token, but the skill declares a primary credential NEMO_TOKEN while the declared requires.env array is empty. That mismatch between metadata fields is inconsistent and unexplained.
Instruction Scope
SKILL.md simply says 'upload footage' and describe the editing approach; it does not say where files are uploaded, what endpoints or APIs are used, or what data will be collected/retained. There are no instructions that explicitly read unrelated files or env vars, but the lack of detail gives the agent broad discretion about where/how to send video data.
Install Mechanism
There is no install spec and no code files to run; that limits surface area because nothing will be written to disk by the skill itself. However, being instruction-only means runtime behavior depends on the agent and any external service the skill calls — which are not described.
!
Credentials
A primaryEnv (NEMO_TOKEN) and a configPaths entry (~/.config/nemovideo/) are declared but no required env vars are listed and SKILL.md never justifies these. Requesting a token and pointing at a home config path is proportionate for a cloud video-editing service, but the missing required-env entry and absent explanation about what the token grants or how config files are used is a red flag.
Persistence & Privilege
always is false and the skill is user-invocable only; it does not request permanent presence or elevated platform privileges. No indications it would modify other skills or agent-wide settings.
What to consider before installing
This skill could be legitimate, but it omits critical details. Before installing or providing any token: ask the publisher what NEMO_TOKEN authenticates to, where uploaded videos are sent, and whether processing happens locally or on a remote server; verify privacy/retention and deletion policies; confirm what files (e.g., ~/.config/nemovideo/) the skill will read; require least-privilege tokens and test with non-sensitive/dummy footage first; and verify the publisher identity or service homepage since no source or homepage is provided. If the vendor cannot clearly answer these, do not provide real credentials or upload sensitive content.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fq8dabewvatfp5wbdgnfvz583wjnz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💪 Clawdis
Primary envNEMO_TOKEN

Comments