ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Soft Skills Training Video — Create Communication, Leadership, and Professional Development Videos for Workplace Learning

v1.0.0

What's the fastest way to build a workforce that communicates clearly, handles conflict without HR involvement, and gives feedback that people actually act o...

0· 31·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (produce short scenario-based training video modules) is coherent with the SKILL.md content. Declaring a primary credential named NEMO_TOKEN and a config path for 'nemovideo' could plausibly map to an external video service, but no homepage, vendor, or documentation is provided to justify that dependency.
Instruction Scope
The SKILL.md itself contains only product/usage prose about inputs and outputs for generating training videos; it does not instruct the agent to read arbitrary files, access unrelated environment variables, or send data to unexpected endpoints. The runtime instructions do not mention using a token or reading the declared config path, which is an inconsistency.
Install Mechanism
There is no install spec and no code files (instruction-only), so nothing will be written to disk by an installer. This lowers risk from arbitrary installs.
!
Credentials
The manifest sets primaryEnv to NEMO_TOKEN and lists a config path (~/.config/nemovideo/), but requires.env is empty and SKILL.md never explains authentication or how that token/config is used. Requesting a token for an unknown service (and not documenting its scope or necessity) is disproportionate to the plain-text instructions in SKILL.md and could enable credential use or exfiltration if the skill actually attempts network actions at runtime.
Persistence & Privilege
always is false and the skill is user-invocable only; it does not request permanent/always-on inclusion and does not declare any actions that modify other skills or system-wide settings.
What to consider before installing
This skill's description and instructions themselves are reasonable for a video-training content generator, but the package metadata declares a primary credential (NEMO_TOKEN) and a config path (~/.config/nemovideo/) without explaining why or how they'll be used. Before installing or providing any token: 1) Ask the publisher for the service name, documentation, and the exact purpose and scope of NEMO_TOKEN (what API it accesses, least-privilege requirements). 2) Verify the publisher identity and a homepage or source repository; avoid tokens tied to other critical accounts. 3) If you must test, create a scoped, throwaway token with minimal privileges and inspect ~/.config/nemovideo/ (if created) to see what is stored. 4) Prefer not to reuse any long-lived credentials; rotate/delete test tokens after use. Because the skill can be invoked autonomously (default), avoid granting broad credentials until you have clear documentation and trust in the service.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bbn4d5gfbzsfwhc2yqfrph583ym55

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤝 Clawdis
Primary envNEMO_TOKEN

Comments