ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Testimonial Video Maker

v1.1.0

Create customer testimonial and review videos with AI — transform raw interview recordings, written reviews, audio feedback, and video call clips into polish...

0· 114·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The description (AI-based cleanup, editing, and export of testimonial videos) reasonably explains why a cloud API key (NEMO_TOKEN) and a local config (~/.config/nemovideo/) might be needed. However, registry metadata lists no required env vars or config paths while the SKILL.md metadata declares primaryEnv: NEMO_TOKEN and configPaths: ~/.config/nemovideo/. That mismatch is unexplained. Also there is no homepage or source URL to verify the vendor 'NemoVideo'.
!
Instruction Scope
This is an instruction-only skill (no code files) so the SKILL.md controls runtime behavior. The provided content is largely marketing and use-cases, but SKILL.md metadata references a local config path and a primary credential. Because there are no explicit runtime commands shown in the manifest excerpt, it's unclear exactly what files the agent will be instructed to read/upload and what external endpoints it will call. Uploading user videos/audio to an external service would be expected for this purpose, but the lack of explicit boundaries (where data goes, retention, what local paths may be read beyond the stated config) is concerning.
Install Mechanism
No install spec and no code files — lowest-risk delivery mechanism. Nothing will be written to disk by an installer when added; runtime behavior is entirely driven by the SKILL.md instructions and agent runtime.
!
Credentials
The skill declares a primaryEnv NEMO_TOKEN (expected for a cloud video API) but the top-level registry fields show no required env vars — an inconsistency. The SKILL.md also lists a config path (~/.config/nemovideo/), which could legitimately store the same token, but it also raises the possibility the skill will read files in the user's home config area (which might contain other secrets). No other env vars are declared, which is proportionate, but the mismatched declarations and missing vendor/site to verify token scope are red flags.
Persistence & Privilege
always: false and default autonomous invocation settings — normal for skills. The skill does not request permanent 'always' inclusion and does not declare writing or modifying other skills or system-wide config in the manifest.
What to consider before installing
This skill plausibly needs a NemoVideo API token and access to your media files, but there are some unexplained inconsistencies and no vendor website to verify. Before installing: (1) Ask the publisher for a homepage / privacy & security docs describing where media is sent, how long it is stored, and token scope. (2) Confirm exactly what the SKILL.md will instruct the agent to read/upload (which directories, whether it will scan other dotfiles). (3) Prefer creating a limited-scope, revocable NEMO_TOKEN (or use an ephemeral upload flow) rather than a long-lived account-wide secret. (4) Inspect ~/.config/nemovideo/ if it exists to see what it contains before granting access. (5) If you must test, try with non-sensitive sample media and a token that cannot access other accounts. Because the skill is instruction-only and has no published source, proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk972arthtqqcevxmzn01rbht9n83r24y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🗣️ Clawdis
Primary envNEMO_TOKEN

Comments