Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Video Kids Education Video
v1.0.0Make learning fun with animated educational content for children using AI — generate kids educational videos covering numbers, letters, colors, shapes, anima...
⭐ 0· 68·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description match a video-generation service (NemoVideo). Requesting a service token (NEMO_TOKEN) and a per-user config path (~/.config/nemovideo/) is plausible for a cloud video generator, but the manifest lists no required environment variables while declaring a primary credential (NEMO_TOKEN) and a config path. That mismatch is unexpected and should be clarified.
Instruction Scope
This is an instruction-only skill (no code). The provided SKILL.md is long and describes content goals and generation design but the runtime directives are not present in the scanned excerpt. Instruction-only skills can still instruct the agent to read local config or call external APIs; the metadata's config path and primaryEnv imply the agent will read ~/.config/nemovideo/ or use NEMO_TOKEN. Because the SKILL.md content is truncated, it's unclear exactly what files/envs the agent will access or what external endpoints it will send data to — that uncertainty is a risk.
Install Mechanism
No install specification and no code files — nothing will be written to disk by an installer. Instruction-only skills are lower risk from an install perspective.
Credentials
The manifest declares a primary credential NEMO_TOKEN and a config path (~/.config/nemovideo/) but required env vars is an empty list. This is inconsistent and could hide unexpected access: the skill may expect you to store a token in your environment or in the config path. Requesting a token for a third-party video service is reasonable, but you should confirm exactly which secret(s) are needed, where they are read from, and the minimum scope/permissions of that token. Asking for access to the user's ~/.config directory is broader than strictly necessary unless it's explicitly for a local token/cache; that should be documented.
Persistence & Privilege
The skill is not always-enabled and does not request elevated installation privileges. It does not include an installer or write-to-disk steps in the registry metadata. Autonomous invocation is allowed by default (disable-model-invocation is false), which is normal, but you should only enable autonomous use if you trust the skill/operator.
What to consider before installing
This skill appears to be an instruction-only connector for a NemoVideo service, which can legitimately need a service token. However, the registry metadata is inconsistent: it lists a primary credential (NEMO_TOKEN) and a user config path (~/.config/nemovideo/) but doesn't list required environment variables. Before installing or providing any token: 1) Ask the publisher to confirm exactly how NEMO_TOKEN is consumed (env var name, config file path, and API endpoints). 2) Only provide a token with least privilege or create a dedicated limited-scope token. 3) Inspect the full SKILL.md to confirm whether the skill will upload user-supplied media or any data about children to external servers and ask for the service's privacy policy and retention rules. 4) If you keep sensitive data or credentials in ~/.config, consider creating an isolated credential for this skill rather than reusing general-purpose tokens. 5) Avoid enabling autonomous invocation until you trust the service and understand where data will be sent.Like a lobster shell, security has layers — review code before you run it.
latestvk970q1hwmzctwcga56h7fczm6x83vk4m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎈 Clawdis
Primary envNEMO_TOKEN