ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nonprofit Advocacy Video

v1.0.0

Nonprofits that use video in their advocacy campaigns achieve 60% higher petition signature rates, 45% more legislative meeting requests, and 3x greater soci...

0· 22·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to produce advocacy videos and declares a single credential NEMO_TOKEN (primaryEnv). Requiring an API token for a video-generation service is plausible and proportionate to the stated purpose. However, SKILL.md's metadata also lists a config path (~/.config/nemovideo/) while the registry summary above reported no required config paths—this inconsistency should be resolved.
!
Instruction Scope
SKILL.md contains marketing and use-case prose but no concrete runtime instructions, commands, or endpoints. It does not describe how the agent should use NEMO_TOKEN, what APIs to call, or what local files (if any) to read/write. Vague, open-ended instructions grant the agent broad discretion and make it unclear what data might be accessed, read, or transmitted.
Install Mechanism
There is no install specification and no code files; this is an instruction-only skill. That minimizes filesystem/write risk since nothing is downloaded or installed by the skill itself.
Credentials
Only one environment variable (NEMO_TOKEN) is declared, which is reasonable for an external API. But the token's target service is unspecified and SKILL.md does not explain required token scopes or where it will be sent. The additional config path in SKILL.md (not present in the registry summary) is unexplained and could grant access to local configuration—this discrepancy is a potential concern.
Persistence & Privilege
The skill does not request always: true and is not asking for elevated persistent presence. Model invocation is allowed (default), which is normal for skills. There is no indication it modifies other skills or system-wide settings.
What to consider before installing
Before installing: (1) Ask the publisher to explain what 'NEMO_TOKEN' is, which service/endpoint the token is sent to, and the minimum token scopes needed; (2) Confirm whether the skill needs the local config path (~/.config/nemovideo/) and why—if it does, ask what files will be read/written; (3) Request concrete runtime instructions (API endpoints, request shapes, and what data will be transmitted) rather than marketing text; (4) If you proceed, provide a least-privilege token (scoped or revocable) and test the skill in a sandbox account; (5) If you cannot get clear answers about the token use and config path, treat the skill as untrusted and do not install it.

Like a lobster shell, security has layers — review code before you run it.

latestvk974cktsfs7qaank6x63g220f58481c4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments