Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Daycare Center Video — Marketing Videos for Childcare Centers, Infant Care, and Full-Day Daycare Programs
v1.0.0As a daycare director, you know the conversation that happens in every parent's car on the way to a first visit: "What if it doesn't feel right? What if the...
⭐ 0· 28·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description describe a video-marketing assistant for daycare centers, which is coherent. However, the skill metadata declares a primary credential NEMO_TOKEN and a config path (~/.config/nemovideo/) that are not mentioned or justified anywhere in SKILL.md. Requesting a platform token and local config access is not obviously necessary for the stated, user-driven workflows.
Instruction Scope
SKILL.md is an instruction-only document that asks users to provide program descriptions, photos, and footage and promises exported content for websites and profiles. It does not instruct the agent to read local files, use environment variables, or call any APIs, nor does it describe how uploads/exports occur. The lack of explicit runtime steps (especially regarding external uploads) is vague and leaves room for the skill to require unexplained credential or filesystem access.
Install Mechanism
There is no install spec and no code files; this is instruction-only. That lowers technical risk because nothing will be written to disk or automatically installed by the skill package itself.
Credentials
The metadata's primaryEnv (NEMO_TOKEN) suggests the skill will call an external NemoVideo service, and configPaths includes ~/.config/nemovideo/. Neither the SKILL.md instructions nor the declared SKILL requirements explain why a token or access to that local config directory is necessary. Requesting credentials/config access without explanation is disproportionate and potentially risky.
Persistence & Privilege
The skill does not request always: true and is user-invocable with normal autonomous invocation allowed. It does not appear to demand persistent, system-wide privileges or to alter other skills' configs.
Scan Findings in Context
[no_regex_findings] expected: The package is instruction-only and contains no code files for the regex scanner to analyze. Absence of findings is therefore not evidence of safety; metadata still declares a credential and a config path.
What to consider before installing
Before installing or providing credentials: 1) Ask the publisher to explain exactly how NEMO_TOKEN is used, what endpoints the skill calls, and why ~/.config/nemovideo/ must be accessible. 2) Do not supply a full-account token; if an API key is required, insist on a limited-scope token or a clearly documented OAuth flow and a privacy policy. 3) Verify where videos and parent/child-identifying data will be uploaded, stored, who can access them, retention policy, and whether parental consent is required — childcare video content is highly sensitive. 4) Request a minimal runtime spec or sample request/response showing the token in use; if the publisher cannot justify the credential or config access, prefer a manual workflow (upload directly to the video service yourself) or reject the skill. 5) If you proceed, create credentials that are revocable and limited in scope, monitor usage, and avoid storing sensitive files in shared or system-wide config locations.Like a lobster shell, security has layers — review code before you run it.
latestvk97819fah0smx4gr4njdghvs4d840zhf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧸 Clawdis
Primary envNEMO_TOKEN