Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Music School Marketing Video — Enrollment and Promotional Videos for Music Schools, Instrument Lessons, and Performing Arts Programs
v1.0.0Before music school marketing video: your studio has a website, a Facebook page, a Google listing, and a waiting list that stays full in September and emptie...
⭐ 0· 30·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and SKILL.md consistently describe producing marketing videos and assets for music schools; that purpose does not by itself justify unusual system access. The declared primary credential name (NEMO_TOKEN) could plausibly be a token for a third‑party video service used to render or export clips, but the SKILL.md never documents any external API, service, or the need for such a token. This is a plausible but unexplained capability request.
Instruction Scope
The human-readable instructions ask users to provide footage and studio details (which is expected), but they do not include any runtime steps describing use of NEMO_TOKEN, reading ~/.config/nemovideo/, or uploading/posting to external endpoints. Metadata and instructions are not aligned: metadata implies the skill will access a local config directory or a token, while SKILL.md does not explain reading system files or performing network uploads. That gap is a scope concern because it leaves unspecified what the agent will do with files or secrets.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not write executables to disk or pull remote archives. That minimizes installation risk.
Credentials
Registry metadata lists no required env vars but declares a primaryEnv of NEMO_TOKEN and a configPaths entry (~/.config/nemovideo/). Requiring a token and a config path without documenting why or how they're used is disproportionate. Any token or local config could contain sensitive credentials; the SKILL.md should explicitly state what credentials it needs, why, and whether they are sent off‑device.
Persistence & Privilege
The skill is not marked always:true and has no install behavior. It does not request system-wide configuration changes or permanent presence. Autonomous invocation is allowed by default (disable-model-invocation: false), which is normal, but combined with the unexplained credential/config access this increases potential blast radius unless clarified.
What to consider before installing
Before installing or enabling this skill: 1) Ask the skill author what NEMO_TOKEN is, why the skill needs it, whether it is stored/transmitted, and what endpoints the token will be used with. 2) Ask what is stored in ~/.config/nemovideo/ and whether the skill will read anything from that directory automatically. 3) Don't paste or upload any API tokens, platform keys, or private student footage until you understand how they will be used, stored, and protected. 4) Confirm whether the skill will automatically post videos to Google Business, YouTube, Facebook, or paid ad accounts — if so, require explicit, per-post consent and review. 5) Because student videos involve minors, confirm consent and data-retention policies and ensure the vendor follows applicable privacy laws. 6) If you decide to try it, run the skill in a controlled environment (no real credentials, use test accounts) and keep autonomous invocation off or closely monitored until you trust its behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97dzbe7163nmjx1asanzxndsn8406sv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎵 Clawdis
Primary envNEMO_TOKEN