ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kindergarten Video — Enrollment and Marketing Videos for Kindergarten Programs, Transitional Kindergarten, and Early Elementary Schools

v1.0.0

Children who start kindergarten in programs with strong video presence for parent communication show 23% higher family engagement scores in their first semes...

0· 25·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's description (creating enrollment and readiness videos) is coherent with a service that would need a service token (NEMO_TOKEN) or config directory, but the declared requirements are inconsistent: requires.env is empty while metadata lists primaryEnv: NEMO_TOKEN and a config path (~/.config/nemovideo/). That mismatch is unexplained and reduces confidence that requested access is properly scoped.
Instruction Scope
The SKILL.md content (instruction-only) focuses on collecting program descriptions, photos, bios, and curriculum materials to produce videos — all expected for a video service. There are no instructions present that ask the agent to read unrelated system files or secret environment variables beyond what a video service would need. However, the skill implies uploading assets to external endpoints (websites, social platforms) without specifying which endpoints or how consent/PII is handled; that's an operational/privacy concern to confirm with the developer.
Install Mechanism
No install spec and no code files are present, so nothing will be written to disk by an installer. This is the lower-risk form (instruction-only).
!
Credentials
Metadata declares a primaryEnv (NEMO_TOKEN) and a config path (~/.config/nemovideo/) but the skill does not list required.env entries. Requesting a token and a config directory is proportionate for a cloud video service only if the token's scope is limited and documented. The current package fails to document why those are needed and may implicitly request access to a user's config directory (which can contain other secrets) — this is disproportionate without justification.
Persistence & Privilege
always is false and there is no install or self-modifying behavior. The skill can be invoked autonomously by the agent (platform default), but that alone is not a red flag here and is not combined with 'always:true' or broad declared credential access.
What to consider before installing
This skill appears to do what it says (produce kindergarten enrollment videos) but has metadata mismatches and potential privacy implications. Before installing: 1) Ask the developer to explicitly declare required environment variables (is NEMO_TOKEN required?) and describe the token's scope and where it is used. 2) Confirm why the config path (~/.config/nemovideo/) is required and ensure the skill will only read its own config file, not arbitrary files in that directory. 3) Be careful about uploading student photos or teacher-identifying data — verify consent and how media/PII is stored, transmitted, and deleted. 4) Prefer a token with minimal privileges and an auditable endpoint (official Nemovideo domain or documented API) rather than sharing broad credentials. If these questions are unanswered, treat the skill as higher risk and avoid providing sensitive media or credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ag6w5hzs1t0pmqjekfg92jx840fh6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏫 Clawdis
Primary envNEMO_TOKEN

Comments