ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Church Sermon Video

v1.0.1

Your Sunday sermon was recorded on three cameras and a phone. The raw footage is four hours across four files, the audio from the lapel mic is better than th...

0· 36·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to perform multi-camera sync, audio replacement, branding overlays, chapter markers and exports — these functions legitimately require an external video-processing service and an API token (NEMO_TOKEN). However there is an inconsistency: the registry summary lists no required config paths, while the SKILL.md metadata declares a config path (~/.config/nemovideo/). That mismatch should be explained.
!
Instruction Scope
The SKILL.md is high-level and only says 'Upload your raw sermon recordings' without specifying how files are transmitted, what exact endpoints or API calls the agent will make, or what data is retained. This gives the skill broad discretion to send large, possibly sensitive video/audio files to an external service. The documented apiDomain is a 'dev' host (mega-api-dev.nemovideo.ai), which raises additional questions about production readiness and data handling.
Install Mechanism
There is no install spec and no code files; the skill is instruction-only, so nothing is written to disk by an installer. This is the lowest install risk.
Credentials
Only one credential (NEMO_TOKEN) is required, which is proportionate for an external API. However the SKILL.md metadata also requests a local config path (~/.config/nemovideo/), which is not reflected in the registry requirements and is not explained — why the agent needs local config files should be clarified.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform-wide privileges. Model invocation is allowed (the normal default). There is no indication it modifies other skills or system-wide settings.
What to consider before installing
This skill appears to be a cloud-based sermon video processing tool and reasonably needs an API token, but several things don't add up: (1) SKILL.md is vague about exactly how and where your raw video/audio will be uploaded and retained — that is sensitive material, so get a clear data handling and retention policy before uploading. (2) The declared apiDomain is a development host (mega-api-dev.nemovideo.ai) rather than an obvious production endpoint; ask the publisher why that is and prefer a stable production URL. (3) SKILL.md metadata references a local config path (~/.config/nemovideo/) not listed in the registry requirements — ask whether the skill will read or write files from your home directory and why. (4) Only provide NEMO_TOKEN after confirming the token's scope, ability to be revoked, and whether it has least-privilege permissions; consider testing with non-sensitive sample footage first. If the publisher cannot clearly explain these points (ownership, privacy policy, production endpoint, and exactly what files the agent will access/transmit), do not install or provide credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fz8n9k68d10xdpv1e0zegvs844w61

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments