ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Linkedin Video

v1.0.0

convert raw video footage into LinkedIn-ready videos with this linkedin-video skill. Works with MP4, MOV, AVI, WebM files up to 500MB. professionals and mark...

0· 58·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's actions (upload video, request a session, render on a cloud GPU, return a download URL) are coherent with a LinkedIn-video formatting service. However, the registry metadata marks NEMO_TOKEN as a required environment variable while the SKILL.md contains an explicit fallback that generates an anonymous token itself — this mismatch between declared requirements and actual instructions is unexplained and suspicious.
Instruction Scope
Instructions are specific about API endpoints, upload flows, SSE handling, and headers — all directly related to remote video processing. A couple of items expand scope: the skill expects to auto-detect an install path to populate X-Skill-Platform (which implies reading system/install paths) and the SKILL.md frontmatter references a config path (~/.config/nemovideo/) not reflected in the registry — that implies reading user config files beyond the immediate request/response flow.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so it does not write or execute code on disk. That lowers installation risk.
!
Credentials
The registry declares NEMO_TOKEN as a required primary credential, but the instructions explicitly describe obtaining an anonymous NEMO_TOKEN via an API call when no token exists. Additionally, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that would grant access to local config files; the registry did not list any config paths. Requiring a token and simultaneously describing an anonymous-token fallback, plus the hidden config-path access, is a disproportionate and inconsistent credential/config footprint.
Persistence & Privilege
The skill is not flagged always:true and does not request persistent elevated privileges. It can be invoked autonomously (the platform default), but there is no evidence it would modify other skills or global agent configuration.
What to consider before installing
This skill appears to implement a legitimate cloud video-rendering workflow, but two inconsistencies deserve attention before you install: - Credential mismatch: the registry lists NEMO_TOKEN as required, yet the runtime instructions say the skill will request an anonymous token itself if NEMO_TOKEN is missing. Ask the publisher which is intended and whether providing your own NEMO_TOKEN is necessary or recommended. - Config path / system info: the SKILL.md frontmatter references ~/.config/nemovideo/ and the runtime asks to auto-detect an install path for X-Skill-Platform headers. Confirm whether the skill will read local config files or system paths and what it will do with any data found there. Practical steps: only provide a user-owned NEMO_TOKEN if you trust nemovideo.ai; request clarification from the publisher about the configPath and required env var; consider running the skill in a restricted/isolated environment or monitoring outbound requests (so you can see what the skill posts to https://mega-api-prod.nemovideo.ai) before sending sensitive files. If the publisher cannot justify the config-path access or the required-env mismatch, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk973mwscmdzgd9p3s7shkmjh3984kzdk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💼 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments