Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Home Renovation Video
v1.0.0Describe your renovation project and NemoVideo creates the video. Kitchen remodels, bathroom updates, basement finishes, whole-house flips, single-room trans...
⭐ 0· 71·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a video-generation integration with NemoVideo and the instructions call a nemo-api domain — that matches the stated purpose. However the registry metadata presented with the skill (top-level) lists no required env vars or config paths, while the SKILL.md explicitly declares a required env var (NEMO_TOKEN) and config path (~/.config/nemovideo/). The mismatch between declared registry requirements and the embedded skill metadata is an inconsistency.
Instruction Scope
The runtime instructions direct the agent to read and write ~/.config/nemovideo/client_id and to call an external API to obtain an anonymous token, then 'store the returned token as NEMO_TOKEN for this session.' These file operations and environment-setting steps are beyond mere prompt formatting and involve persistent local state. While these actions are coherent with a client that needs a client_id and token, the SKILL.md is the only place these requirements appear (the registry listing omitted them), and the instructions mix multiple auth modalities (anonymous-token flow vs examples that use an API key), which is unclear.
Install Mechanism
No install spec or code files are present (instruction-only). That reduces surface risk because nothing is downloaded or installed automatically.
Credentials
The skill asks for a single service credential (NEMO_TOKEN) and a local config path for a client_id. That is proportionate to a third-party video API. The issue is that the registry metadata provided with the skill did not advertise these requirements, so users/installers might not expect the skill to read/write ~/.config/nemovideo/ or create environment tokens. Also the SKILL.md references both NEMO_TOKEN and examples using Authorization: Bearer YOUR_API_KEY, which is ambiguous about required credentials.
Persistence & Privilege
The skill does not request always:true and does not claim elevated platform privileges. The primary persistent action it instructs is writing a client_id to ~/.config/nemovideo/ and storing a token for the session, which is reasonable for a client but should be explicitly disclosed in registry metadata.
What to consider before installing
This skill appears to be a legitimate NemoVideo integration, but there are two things to check before installing or using it: (1) the SKILL.md requires reading/writing ~/.config/nemovideo/ and using a NEMO_TOKEN, yet the registry metadata shown to you does not list these requirements — ask the publisher why the registry entry omits those details; (2) the skill will call an external API (mega-api-prod.nemovideo.ai) and may create a client_id and obtain an anonymous token. If you decide to proceed, verify the publisher (check the GitHub repository listed in the SKILL.md), review NemoVideo's privacy/security policy, and test with non-sensitive sample content first. Prefer that the skill explicitly ask for permission before writing to your home config directory or persisting tokens, and ask the publisher to resolve the mismatch between the SKILL.md and the registry metadata. If you need higher assurance, request the skill source (repo) and inspect how/where tokens are stored and whether any tokens are persisted beyond the session.Like a lobster shell, security has layers — review code before you run it.
latestvk970dx374n5fmxh4ecaszgn1eh83snnj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.