ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Furniture Makeover Video

v1.0.0

Restore and transform old furniture with paint, stain, and creative techniques using AI — generate furniture makeover tutorial videos covering surface prepar...

0· 42·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to produce AI-generated furniture-makeover videos; requesting an API token (NEMO_TOKEN) for a video service is consistent with that purpose. However the registry metadata shows an empty requires.env while also declaring primaryEnv: NEMO_TOKEN and a config path (~/.config/nemovideo/). That contradiction (no required env listed vs a named primary credential) is inconsistent and worth clarifying.
Instruction Scope
This is an instruction-only skill (no install, no code files). The visible SKILL.md content is detailed guidance about video content and furniture techniques; it does not contain commands to read system files, enumerate credentials, or exfiltrate data. I did not see instructions that would direct data to unexpected endpoints beyond the implied use of a NemoVideo service. Note: the full SKILL.md was truncated in the provided data — if later sections include API call examples or file reads, re-check those for scope creep.
Install Mechanism
No install spec or downloadable code is present; instruction-only skills have lower install risk because nothing is written to disk by an installer.
!
Credentials
The skill declares a primary credential (NEMO_TOKEN) and a config path (~/.config/nemovideo/). Asking for a single API token for a video-generation service is reasonable. The concerns are: (1) metadata contradicts itself by listing no required env variables while naming a primaryEnv, and (2) the declared config path gives the skill scoped access to a user config directory. That directory is plausibly used to store the same token, but you should confirm what data lives there and why both mechanisms are declared.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide settings based on the provided metadata.
What to consider before installing
This skill appears to be what it says (an instruction-only generator for furniture-makeover videos), but check two things before installing: 1) Confirm the source and purpose of NEMO_TOKEN — only provide it if it is an API key for a trusted NemoVideo-type service and you understand its permissions. 2) Ask why the skill declares ~/.config/nemovideo/ in its config paths and whether that directory contains other sensitive data; prefer giving a scoped API key rather than broad config access. If possible, request documentation or examples showing exactly how the token and config are used (API endpoints, minimal scopes). If you cannot verify the token's intent or the origin of the skill (homepage/source unknown), proceed cautiously or avoid installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97djwyngfymf7qrwyyexnzg9d83v5ga

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🪑 Clawdis
Primary envNEMO_TOKEN

Comments