ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Luxury Travel Video

v1.0.1

Create stunning luxury travel videos showcasing world-class hotels and experiences with AI.

0· 47·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a video-generation integration with NemoVideo and includes an API example that requires a bearer token — that capability is coherent with the skill's purpose. However, the registry metadata above this SKILL.md lists no required environment variables or primary credential while the embedded SKILL.md metadata declares primaryEnv: NEMO_TOKEN and a configPaths entry (~/.config/nemovideo/). This discrepancy is an incoherence between what the skill claims it needs and what the registry metadata reports.
Instruction Scope
The SKILL.md instructs the agent to call NemoVideo's API (curl example to https://api.nemovideo.ai/v1/generate) and to produce scripts, storyboards, visuals, narration and music. There are no instructions to read unrelated system files, exfiltrate data, or call other endpoints. The SKILL.md metadata references a local config path (~/.config/nemovideo/) which implies the skill may read local config for credentials — the runtime instructions themselves do not explicitly enumerate reading that path, but the metadata suggests it may be used.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes disk-side risk because nothing is downloaded or written by an installer.
!
Credentials
Requesting an API token (NEMO_TOKEN) is proportionate for a third-party video-generation API. The concern is the mismatch: the SKILL.md metadata lists primaryEnv: NEMO_TOKEN and a configPaths entry, while the registry metadata presented to you lists no required env vars. That mismatch makes it unclear whether the platform will prompt you for a token, automatically read a token from disk, or behave differently than documented. Also, the declared config path (~/.config/nemovideo/) could contain other sensitive items — confirm what the skill will actually read.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It does not declare any installation steps that modify other skills or system-wide settings.
What to consider before installing
This skill appears to call NemoVideo's API to create videos, which reasonably requires an API token. However, the SKILL.md declares primaryEnv: NEMO_TOKEN and a config path (~/.config/nemovideo/) while the registry metadata shown to you lists no credentials — this inconsistency should be resolved before you provide secrets. Before installing or enabling the skill: 1) Confirm whether the platform will ask you to supply an API token, or whether the skill will attempt to read ~/.config/nemovideo/ for credentials. 2) If a token is required, create a dedicated, minimal-scope token for NemoVideo (do not reuse highly privileged or long-lived keys). 3) Verify the API endpoint and vendor (https://nemovideo.com and https://api.nemovideo.ai) and review their privacy/security docs. 4) Prefer granting least privilege and monitor network activity or logs when you first use the skill. If you cannot confirm the credential/ config behavior, treat the metadata mismatch as a risk and avoid installing until resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk9726p5e2z1s2c1jrwmy0brv6983sdka

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments