ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Virtualover

v1.0.1

Turn raw video clips into polished, layered productions with virtualover — a skill built for blending virtual graphics, overlays, and composited elements dir...

0· 49·0 current·0 all-time
by@tk8544-b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required env var (NEMO_TOKEN), and the runtime actions (uploading video, creating sessions, calling compositing endpoints) are coherent. Asking for a NemoVideo token is expected for a NemoVideo-backed overlay/rendering skill.
!
Instruction Scope
The SKILL.md instructs the agent to create and persist a ~/.config/nemovideo/client_id and to store session_id values; it also instructs detecting the install platform by checking paths like ~/.clawhub/ and ~/.cursor/skills/. These filesystem accesses go beyond the single declared configPath and are not fully declared. Critically, the skill instructs building a claim URL that embeds the token as a query parameter (https://nemovideo.com/workspace/claim?token=$TOKEN...), which risks leaking the token via browser history, referrers, or logs.
Install Mechanism
No install spec or downloaded code — instruction-only skill. This is the lowest install-risk category; nothing is written via an install step beyond what the instructions say at runtime.
Credentials
Only one credential (NEMO_TOKEN) is required, which is proportional to the stated purpose. The SKILL.md does offer to obtain an anonymous token by POSTing to the NemoVideo auth endpoint if NEMO_TOKEN is not set — that is reasonable but the instructions are ambiguous about how/where that token is stored and used, which affects privacy considerations.
Persistence & Privilege
The skill asks to write a client_id to ~/.config/nemovideo/ and to store session_id for subsequent calls. That local persistence is plausible for a client, but users should be aware state and tokens may be stored on disk. The skill is not marked always:true and does not request system-wide privilege changes.
What to consider before installing
This skill appears to be a genuine NemoVideo frontend: it needs a Nemo token and will call NemoVideo endpoints and upload footage. Before installing, consider: (1) token leakage — the skill builds a claim URL that includes your token in the query string (this can leak via browser history or referrer headers); avoid using high-privilege or long-lived tokens if you proceed, or prefer the anonymous 7-day token flow and revoke it after use; (2) file writes and probing — the skill will create ~/.config/nemovideo/client_id and store session state, and it may check paths like ~/.clawhub and ~/.cursor/skills to detect platform; if you are uncomfortable with those filesystem accesses, do not install; (3) uploads — any video you give the skill will be transmitted to the NemoVideo backend, so do not upload sensitive or private footage unless you trust the service and have read its privacy policy. If you want to proceed, prefer using a short-lived/anonymous token and review NemoVideo’s docs for token revocation and data retention policies.

Like a lobster shell, security has layers — review code before you run it.

latestvk978z964h08fy8rw0wc966sqn583zwec

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments