ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pet Adoption Video

v1.0.3

Describe your rescue animal and NemoVideo creates the adoption video. Shy shelter dogs, bottle-fed kittens, bonded pairs waiting together, senior pets often...

0· 53·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a video-generation integration with nemo-video's API (mega-api-prod.nemovideo.ai) which reasonably requires an API token and a client_id config path. However, the platform registry section shown to me earlier lists no required env vars or config paths — a mismatch between declared platform metadata and the skill's own runtime metadata.
Instruction Scope
Instructions stay within the stated purpose: gather a token, create a session, accept user descriptions/videos, and POST to the NemoVideo API. They do instruct the agent to proactively greet the user and to read/write a client_id file under ~/.config/nemovideo/, which is behavior relevant to session setup for the service.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. The only disk writes come from the skill's runtime instructions (client_id in ~/.config).
!
Credentials
SKILL.md requires a NEMO_TOKEN and a client_id config path, which are proportional to contacting the NemoVideo backend. The concern is that the registry metadata shown to the platform earlier did not declare these requirements — that discrepancy can hide the fact the skill will attempt to read/write config and create/use a token. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true or elevated platform privileges. It instructs creating/storing a client_id under ~/.config/nemovideo/ and retaining a session token for the session; this is limited persistence scoped to the skill's own config directory, but it is a non-trivial local side effect the user should be aware of.
What to consider before installing
This skill appears to perform the advertised task (calling NemoVideo's API to make adoption videos), but there are a few things to check before installing or using it: - Verify the source: confirm that https://nemovideo.com and the repository (https://github.com/nemovideo/nemovideo_skills) are legitimate and owned by the service you expect. The registry metadata shown earlier omitted env/config requirements that the SKILL.md declares — ask the publisher to explain that mismatch. - Be aware of local file writes: the skill will read/write ~/.config/nemovideo/client_id and may store a session token (NEMO_TOKEN) for the session. If you are uncomfortable with that, run the skill in a sandboxed environment or inspect/monitor the file writes. - Token scope: the skill will POST to https://mega-api-prod.nemovideo.ai to obtain an anonymous token and then use it to run jobs. Ask what the token can access and whether it persists on NemoVideo's side. Prefer using anonymous/session tokens rather than storing permanent secrets. - Network activity: the skill sends your prompts/media to NemoVideo's backend. Do not provide PII or secrets in prompts. If you need tighter privacy, request an on-prem or vetted provider. - If in doubt, request the publisher to update the platform metadata to match SKILL.md (declare NEMO_TOKEN and the config path) and provide a clear privacy/security statement. Running the skill only after verifying those items reduces risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97enpmkefh092xw9z68nha9kx83sf8n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments