ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Restaurant Promo Video

v1.0.0

Describe your restaurant and NemoVideo creates the promo video. Showcase your signature dishes, your kitchen, your atmosphere — and get a 30-60 second video...

0· 71·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (make short restaurant promo videos) matches the runtime behaviour (calls NemoVideo API at mega-api-prod.nemovideo.ai and accepts video/prompts). However the SKILL.md declares required environment variable NEMO_TOKEN and a config path (~/.config/nemovideo/), while the top-level registry metadata provided with this submission lists no required env vars or config paths — this metadata mismatch is an incoherence that reduces trust.
!
Instruction Scope
Runtime instructions explicitly tell the agent to read and write files in the user's home (~/.config/nemovideo/client_id), generate a UUID if needed, call an anonymous-token endpoint and store the returned token in an environment variable for the session. Those file-system and token-management actions go beyond a purely read-only assistant and should be expected for a client that persists a client_id, but they are not declared in the registry metadata. The skill will also upload user-provided video/content to an external service (expected for this purpose) — users should be aware of that data flow.
Install Mechanism
No install spec or downloadable code is present; this is instruction-only and therefore does not install third-party packages or execute arbitrary downloaded code. That reduces install-time risk.
Credentials
The only credential referenced in SKILL.md is NEMO_TOKEN (and a locally stored CLIENT_ID). That is proportionate to an API-backed video service. The issue is the registry metadata provided with the skill did not list these environment/config requirements — the declared primaryEnv and configPaths in SKILL.md should be reflected in the registry so users know which secrets/files the skill needs.
Persistence & Privilege
The skill requests only to create/read/write its own config directory (~/.config/nemovideo/) and a client_id file, and it does not request system-wide privileges or set always:true. Persisting a client_id and session token in a per-user config directory is normal for a client, but users should still expect the skill to create files in their home directory.
What to consider before installing
Before installing or invoking this skill: (1) confirm the registry listing matches the SKILL.md (SKILL.md requires NEMO_TOKEN and writes ~/.config/nemovideo/ but the registry metadata omitted these); (2) be aware any videos or images you provide will be uploaded to mega-api-prod.nemovideo.ai — do not send sensitive or private content you don't want shared; (3) expect the skill to create ~/.config/nemovideo/client_id and to obtain/store an anonymous token for the session; if you are uncomfortable with those file writes, run the skill in a sandbox or request the publisher update the registry metadata to accurately declare required env vars and config paths; (4) verify NemoVideo's privacy/security policy and the token's scope before placing any permanent credentials in NEMO_TOKEN. No regex scan findings were reported for the package (the skill is instruction-only), so pay attention to the SKILL.md instructions themselves when deciding whether to proceed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97122x3kkg1wsv0tar7n27cq183sf2n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments