ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Workout Video Maker

v1.0.0

Describe your workout and NemoVideo creates the video. Strength training program breakdowns, exercise form tutorials, gym routine documentation, progressive...

0· 76·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md clearly describes contacting https://mega-api-prod.nemovideo.ai and declares NEMO_TOKEN and ~/.config/nemovideo/ as required; that matches the declared purpose (creating/uploading workout videos). However the registry metadata above this description lists no required env vars or config paths — that contradiction is unexpected and suggests metadata and runtime instructions are out of sync.
Instruction Scope
Instructions are mostly within the stated purpose: they ask the agent to greet the user, accept or ask for video content, create a session, and POST to the NemoVideo backend. They explicitly instruct reading/writing ~/.config/nemovideo/client_id and storing an acquired token in NEMO_TOKEN for the session. They will upload user-provided media to an external service (mega-api-prod.nemovideo.ai), which is expected for this skill but is a privacy/security consideration the user should be aware of.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — nothing will be downloaded or executed on disk beyond the agent following the prose instructions, which is lower risk than arbitrary installs.
!
Credentials
SKILL.md requires an API token (NEMO_TOKEN) and persists a client_id under ~/.config/nemovideo/. The registry metadata shown earlier lists no required env vars or config paths — this mismatch is a red flag. Requesting a single service token and a local client_id file is proportionate to the stated function, but the inconsistency in declared requirements needs clarification.
Persistence & Privilege
The skill will create/read ~/.config/nemovideo/client_id and may persist an anonymous or provided token. It does not request 'always: true' or other elevated privileges. Persisting a client_id/token in the user's home directory is normal for a client but does create a persistent artifact that could be reused or read by other processes, so users should be aware.
What to consider before installing
There's an important mismatch: the skill's runtime instructions declare NEMO_TOKEN and a ~/.config/nemovideo/ client_id, but the registry metadata claims no env/config requirements. Before installing or enabling this skill: (1) verify the skill publisher/repository (visit the listed GitHub repo and NemoVideo homepage) to confirm authorship; (2) be aware that any videos or data you give will be uploaded to mega-api-prod.nemovideo.ai — don't send sensitive content until you accept that; (3) expect the skill to write a client_id and possibly a token under ~/.config/nemovideo/ — if you prefer, create and supply your own NEMO_TOKEN rather than allowing anonymous token generation; (4) if you need stronger assurance, ask the publisher to reconcile registry metadata with SKILL.md (make the env/config requirements consistent) or provide signed releases/source before trusting the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d0nbcab7998fec4c2f0gdy583tte3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments