Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Video Knitting Tutorial Video
v1.0.0Follow along knitting patterns with slow-motion video demonstrations using AI — generate knitting tutorial videos that walk through complete patterns row by...
⭐ 0· 44·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description describe a video-generation service (NemoVideo). The declared primary credential (NEMO_TOKEN) and config path (~/.config/nemovideo/) are coherent with that purpose. However, requires.env is an empty list while primaryEnv is set to NEMO_TOKEN — that's an internal inconsistency in the metadata (the main credential is not listed as a required env var).
Instruction Scope
This is an instruction-only skill (no code) and the provided SKILL.md content is focused on knitting use cases. There are no visible runtime commands in the excerpt, but the metadata indicates the skill will use ~/.config/nemovideo/ and a Nemo token. Because we don't see explicit runtime calls, we cannot verify whether the instructions would read other files or transmit unrelated data — the scope appears appropriate but is not fully auditable from the provided content.
Install Mechanism
No install spec and no code files — lowest-risk delivery model for a skill. Nothing will be downloaded or written to disk by an installer as part of installation.
Credentials
The skill declares a primary credential (NEMO_TOKEN) and a config path (~/.config/nemovideo/). Requesting a single service token is reasonable for a third‑party video API, but the metadata inconsistency (primaryEnv not listed in requires.env) is suspicious. Also, listing a user config directory implies the skill may read files from that directory; ensure the directory doesn't contain other unrelated secrets or broader tokens. No other env vars are requested, which is proportionate if the service only needs one token.
Persistence & Privilege
always is false and there is no install spec that writes agents' global settings. The skill does not demand permanent, always-on presence.
What to consider before installing
This skill looks like a legitimate assistant for generating knitting tutorial videos, but there are a few things to check before installing:
- Confirm provenance: the skill's source and homepage are unknown. Prefer skills that reference an official project site or GitHub repo so you can review code and privacy details.
- Ask the author (or check the full SKILL.md) to explain why primaryEnv (NEMO_TOKEN) is not included in requires.env — the token is declared as primary but not listed as required, which may be a metadata bug or indicate missing documentation about where the token is read from.
- Inspect ~/.config/nemovideo/ on your machine (or ask what files the skill reads) before granting the skill access. Make sure that directory only contains the NemoVideo token or benign configuration, not other unrelated credentials.
- Prefer providing a scoped token (NEMO_TOKEN) with minimal permissions rather than a long‑lived, high‑privilege secret. If Nemo supports session-limited or read-only tokens for video generation, use those.
- Because this is instruction-only, review the full SKILL.md runtime instructions (not just the marketing text) to confirm there are no steps that read other files, post data to unexpected endpoints, or request other system access.
If you cannot verify the skill's origin or confirm what exactly it reads from your config directory, treat it cautiously and avoid installing it with a high-privilege token.Like a lobster shell, security has layers — review code before you run it.
latestvk970a165zmxmecdh182km3xhcn83t4gb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧣 Clawdis
Primary envNEMO_TOKEN