Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Video Time Management Video
v1.0.0Take control of your schedule with proven time management strategies using AI — generate time management videos covering scheduling frameworks, priority matr...
⭐ 0· 48·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to generate time-management videos using 'NemoVideo' style content — that purpose reasonably explains needing a Nemo API token or config. However the metadata is inconsistent: primaryEnv is set to NEMO_TOKEN while requires.env is an empty list. That mismatch should be clarified (is NEMO_TOKEN required at runtime?).
Instruction Scope
The description repeatedly refers to demonstrating changes on 'real calendars' and 'real to-do lists', which implies the skill may request or access personal calendar/task data. The provided SKILL.md excerpt does not explicitly declare how calendar/task data is obtained (user upload, third‑party calendar API, or reading local files). Because this is instruction-only and the runtime steps are not fully explicit, it's unclear whether the agent will instruct itself to read files or request additional credentials — this ambiguity is a risk.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only, so it does not push binaries or archives to disk. That minimizes install-time risk.
Credentials
Metadata references a config path (~/.config/nemovideo/) and a primaryEnv NEMO_TOKEN. Access to a user config directory and a token is plausible for a video-generation API, but: (1) NEMO_TOKEN is not listed in requires.env (inconsistency), and (2) the skill's visible instructions hint at accessing calendar/task data but do not declare any calendar provider credentials (Google, Microsoft, etc.). The combination of a config path and an undeclared primaryEnv is disproportionate without explanation.
Persistence & Privilege
always:false and there is no install step that writes persistent agents or modifies other skills. The skill does request a config path and token (see environment_proportionality), but it does not request permanent inclusion or system-wide privileges.
What to consider before installing
Before installing or enabling this skill, ask the publisher these specific questions: (1) Do you require a NEMO_TOKEN? If so, why is it not listed in the declared required env vars? (2) Exactly what data will the skill access automatically — will it read ~/.config/nemovideo/ or any calendar/task files? (3) How does the skill obtain 'real calendars' — does the user upload the calendar, or does the skill connect to Google/Microsoft with separate credentials? (4) What does NemoVideo store in ~/.config/nemovideo/? Could that directory contain other tokens? Practical precautions: only provide tokens you explicitly intend to share, review the contents of ~/.config/nemovideo/ before enabling the skill, prefer creating a scoped/limited token for the skill (and rotate/revoke it after testing), and test the skill with non-sensitive sample data (not your real calendar) until the data flows are clear. If the publisher cannot clearly explain why the NEMO_TOKEN and config directory are needed and what other services (calendar/task providers) the skill will access, treat the skill as risky and do not grant credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk979pn2c9qky6k10r55mbf5hen83tsnv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⏰ Clawdis
Primary envNEMO_TOKEN