ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Mountain Travel Video

v1.0.0

Document alpine scenery, summit hikes, and highland culture on film with AI — generate mountain travel videos covering peak photography, trail selection for...

0· 50·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (mountain travel video generation) lines up with a service integration (NemoVideo). Declared config path (~/.config/nemovideo/) and primaryEnv (NEMO_TOKEN) are consistent with a client that talks to an external NemoVideo service. However, requires.env is empty while primaryEnv is set — that's an internal inconsistency that should be explained by the publisher.
Instruction Scope
This is an instruction-only skill (SKILL.md present, no code). The visible content is domain text and use-cases for video generation; no explicit runtime commands are shown in the provided excerpt. Metadata references a local config path which implies the agent may read ~/.config/nemovideo/ or use NEMO_TOKEN at runtime — the SKILL.md should explicitly state any file reads or external endpoints it will contact. Absence of explicit runtime steps in the manifest leaves scope ambiguous.
Install Mechanism
No install spec and no code files — low risk from installation (nothing will be downloaded or written by an installer).
!
Credentials
A primary credential (NEMO_TOKEN) is declared but requires.env is empty, creating a mismatch. Requesting a single service token fits the stated purpose if the skill calls NemoVideo, but the skill does not document what the token is used for, where it will be sent, or whether it will be stored. The declared config path (~/.config/nemovideo/) further suggests local credentials/config access. Without clear runtime instructions, this is disproportionate and warrants verification.
Persistence & Privilege
always is false and there is no install script or claims of modifying other skills or system config. The skill can be invoked autonomously by default (disable-model-invocation: false), which is normal for skills, but combine this with the credential question above and consider restricting autonomous invocation if you are cautious.
What to consider before installing
This skill appears to be an instruction-only integration for generating mountain travel videos and legitimately might need a NemoVideo API token. However: 1) Ask the publisher to clarify why primaryEnv=NEMO_TOKEN is set but not listed in requires.env, and to document any API endpoints and whether tokens/config are read or persisted. 2) Don't provide a high-privilege or long-lived token until you confirm the token's scope and storage behavior; prefer a scoped or revocable token. 3) Because the SKILL.md references ~/.config/nemovideo/, confirm whether the agent will read that file and what it contains. 4) If you don't trust the source, avoid enabling autonomous invocation (set disable-model-invocation to true) or don't install the skill. 5) If possible, request the full SKILL.md runtime instructions (explicit network calls, endpoints, and file accesses) before installing; that information would change this assessment to benign if the usage is documented and proportionate.

Like a lobster shell, security has layers — review code before you run it.

latestvk977nfysed90jkn67yq5vk8ras83vkpd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏔️ Clawdis
Primary envNEMO_TOKEN

Comments