ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Minecraft Video Maker

v1.0.0

Describe your Minecraft project and NemoVideo creates the video. Survival world progress, mega builds, redstone contraptions, speedruns, hardcore deaths — na...

0· 87·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and description match: the skill talks to nemovideo.ai to produce Minecraft videos, and the listed API endpoints and parameters are consistent with that purpose. However, the registry-level metadata provided to the platform claims no required env vars or config paths, while the SKILL.md explicitly requires NEMO_TOKEN and ~/.config/nemovideo/ — an incoherence that should be explained.
Instruction Scope
The instructions are prescriptive about connecting to the NemoVideo backend: they instruct greeting the user, reading/writing ~/.config/nemovideo/client_id, generating a UUID if missing, obtaining an anonymous token via a curl POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token, and storing a session token as NEMO_TOKEN. These actions are within the expected scope for a networked service integration, but they do involve file I/O in the user's home directory and outbound network calls — both are explicit in SKILL.md and should be acceptable only if you trust the remote service. No instructions attempt to read unrelated system files or additional credentials.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. The only writes the skill instructs are to the declared per-skill config path (~/.config/nemovideo/), which is expected for client IDs and session tokens.
!
Credentials
The SKILL.md declares it requires NEMO_TOKEN and a config path (~/.config/nemovideo/). Those are proportionate to calling NemoVideo's API. The concern is the mismatch between SKILL.md and the registry metadata (which listed no required env or config paths). That inconsistency could be harmless (packaging oversight) but also means the skill may access or create files/variables the registry didn't advertise — you should verify what will actually be created and whether you are comfortable with it.
Persistence & Privilege
The skill does not request always:true or any elevated platform privileges. It will create and use a per-user config file (~/.config/nemovideo/client_id) and a session token; this is reasonable for a client that connects to an external API. It does not request to modify other skills or global agent settings.
What to consider before installing
Before installing: (1) confirm the registry metadata should include the NEMO_TOKEN/config path — the SKILL.md expects to read/write ~/.config/nemovideo/ and obtain/store an anonymous token; that will create files in your home and make outbound requests to mega-api-prod.nemovideo.ai. (2) Only proceed if you trust nemovideo.com and the repository; check the homepage and GitHub repo URLs for legitimacy. (3) If you want to limit risk, run the skill in an isolated environment or container, or inspect SKILL.md yourself. (4) Don’t provide unrelated secrets or system credentials; this skill only needs its own API token/client-id. (5) If you want higher assurance, ask the publisher to correct the registry metadata so declared requirements match the SKILL.md.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fwcsqw715gkbjdfxtrjtw3583rt3x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments