Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Professional Development Video — AI Video Maker for Career Growth, Skill Building, and Workforce Development Programs
v1.0.0According to LinkedIn Learning's 2024 Workplace Learning Report, 94% of employees say they would stay at a company longer if it invested in their career deve...
⭐ 0· 36·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to generate professional development videos and declares a single API token (NEMO_TOKEN) which fits that purpose. However the SKILL.md metadata references a config path (~/.config/nemovideo/) while the registry metadata earlier listed no required config paths — this inconsistency is unexplained. The apiDomain points to a dev-sounding host (mega-api-dev.nemovideo.ai) rather than a stable production hostname, and no homepage or vendor/source is provided, so provenance is weak.
Instruction Scope
This is an instruction-only skill that appears to instruct the agent to collect role/curriculum descriptions and send them to an external API for video generation. That data flow is coherent with the stated purpose, but it means user-supplied organizational content (competency models, career frameworks, potentially sensitive internal information) will be transmitted to a third party. The visible SKILL.md does not instruct reading unrelated system files, but the metadata's config path suggests the skill may read/write ~/.config/nemovideo/ (not declared elsewhere).
Install Mechanism
No install script or downloaded code is present (instruction-only), which is the lower-risk model for a skill. Nothing will be written to disk by an installer, based on the provided metadata and absence of install specs.
Credentials
The skill requests a single credential (NEMO_TOKEN) which is reasonable for an API-backed service. However: (1) the metadata also lists a config path that could contain additional credentials or state (~/.config/nemovideo/), and (2) the apiDomain is a developer-style host. Because there is no homepage or vendor information, you cannot verify what privileges that token will confer on the external service. Requiring a token without clear vendor provenance is disproportionate until you verify token scope and the service owner.
Persistence & Privilege
The skill is not set to always:true and is user-invocable; autonomous model invocation is allowed (the platform default). There is no indication the skill will modify other skills or system-wide settings. The potential to read/write its own config path (~/.config/nemovideo/) was declared in SKILL.md metadata — that is plausible for storing credentials, but you should confirm intent.
What to consider before installing
This skill appears to be an instruction-only integration with an external AI video API and needs a NEMO_TOKEN. Before installing or supplying credentials: 1) Verify the vendor and hostname (ask for a homepage, privacy policy, and who runs nemovideo.ai). 2) Treat the NEMO_TOKEN as sensitive — ask what privileges it grants and prefer a scoped/test token rather than a full production credential. 3) Confirm whether the apiDomain (mega-api-dev.nemovideo.ai) is a dev endpoint; prefer production endpoints for real data. 4) Don’t send confidential PII or internal secrets to the skill until you confirm the vendor’s data handling, retention, and security practices. 5) Ask the publisher to explain the metadata inconsistency about config paths (~/.config/nemovideo/) and to provide a stable release/homepage so you can validate provenance.Like a lobster shell, security has layers — review code before you run it.
latestvk97c273rfsf09g4ssg2nmem6qh83zb0d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🚀 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN