ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Family Vacation Video

v1.0.0

Plan and document kid-friendly trips that parents actually enjoy too with AI — generate family vacation videos covering destination suitability for children,...

0· 51·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to produce family vacation video content; asking for a single service token (NEMO_TOKEN) and a config path (~/.config/nemovideo/) is coherent for a cloud video service. However, the skill has no listed source/homepage and the registry owner is unknown, so the identity of the service that would use NEMO_TOKEN is not verifiable.
!
Instruction Scope
SKILL.md is long and prose-heavy and appears to be instruction-only (no code). The pre-scan flagged unicode-control-chars in the SKILL.md, which are a common prompt-injection vector intended to alter how an agent interprets instructions. The visible content does not explicitly show necessary runtime steps (API endpoints, explicit upload instructions), but the metadata declares a config path — the skill may expect to read local configuration/credentials. The presence of invisible control characters combined with a declared config path is concerning.
Install Mechanism
No install spec and no code files are present; this is instruction-only and will not write new binaries to disk by itself. That reduces installation risk.
Credentials
The skill requests a single primary credential (NEMO_TOKEN) and lists a single config path (~/.config/nemovideo/). Requesting one token for an external video service is reasonable, but there is no information about the service (no homepage) to justify trusting or validating that token. No other unrelated secrets are requested.
Persistence & Privilege
always is false and there are no install scripts. The skill does not request permanent platform-level privileges. Autonomous invocation is allowed (platform default) but not itself a red flag here.
Scan Findings in Context
[unicode-control-chars] unexpected: Control/unicode characters are not expected for a benign family-travel content skill. These characters can be used as prompt-injection to change how the agent parses or follows instructions and may hide malicious directives. Treat this as a real concern even though no code files exist.
What to consider before installing
Do not provide credentials or place a NEMO_TOKEN in your environment until you verify the publisher and service. Ask the publisher for a canonical homepage and API documentation showing how NEMO_TOKEN is used. Inspect SKILL.md in a text editor that reveals hidden/control characters (e.g., show invisibles) and ask the publisher to remove them or explain them. If you must test, run the skill in an isolated/sandboxed environment with a throwaway token, and do not allow it to read other ~/.config files or system-sensitive paths. If you cannot verify the service identity or remove the control characters, avoid installing or supplying real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dt1wjrjvbqakcxdasrbex7183tn2s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👨‍👩‍👧‍👦 Clawdis
Primary envNEMO_TOKEN

Comments