ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Business Travel Video

v1.0.0

Optimize work trips with productivity hacks, airport tips, and hotel reviews using AI — generate business travel videos covering flight booking strategies fo...

0· 52·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to generate business-travel videos and the presence of a NEMO_TOKEN and a nemo config path (~/.config/nemovideo/) is coherent if the skill calls an external NemoVideo service. However the registry summary lists "Required env vars: none" while a primary credential (NEMO_TOKEN) is declared in the skill metadata — this mismatch is an inconsistency.
Instruction Scope
The visible SKILL.md contents are focused on content generation (topics, scripts, segments, tips) and do not instruct the agent to read arbitrary files, enumerate system state, or exfiltrate data. There are no runtime commands or instructions in the provided excerpt that suggest scope creep.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer — lowest-risk install surface.
!
Credentials
A single primary credential (NEMO_TOKEN) and a config path for ~/.config/nemovideo/ are plausible for a third‑party video service, but the top-level requirements list zero required env vars while the skill metadata names a primaryEnv. That inconsistency should be fixed. The skill does not explain what NEMO_TOKEN grants access to, what data will be sent to the external service, or the minimal scope required for the token.
Persistence & Privilege
always is false and there is no install script or persistent behavior declared. The skill does not request elevated or permanent agent-level privileges.
What to consider before installing
Before installing: 1) Confirm what "NEMO_TOKEN" is (which service issues it) and whether the token's scope is limited (video-generation only) — avoid providing broad tokens. 2) Inspect the contents of ~/.config/nemovideo/ (or ask the publisher) to see what the skill expects to read and whether it would reveal other secrets. 3) Ask the skill author/publisher for a clear runtime description: does the skill send raw user prompts, transcripts, or local files to NemoVideo servers? 4) Ask the publisher to fix metadata inconsistencies (either list NEMO_TOKEN under required env vars or remove it). 5) If you must trial it, use a scoped or low‑privilege token and run in a controlled environment; revoke the token if anything unexpected is observed. If you can't confirm these points, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ekq4f2spfj88y0wywg3s6bd83t7z5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💼 Clawdis
Primary envNEMO_TOKEN

Comments