ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Product Launch Video

v1.0.0

Describe your product launch and NemoVideo creates the video. Software releases, hardware reveals, new feature drops, rebrands — narrate what you're launchin...

0· 79·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (create product launch videos via NemoVideo) matches the runtime behavior (calls mega-api-prod.nemovideo.ai). However the registry metadata in the package lists no required env vars or config paths while the SKILL.md explicitly requires NEMO_TOKEN and ~/.config/nemovideo/ and declares primaryEnv: NEMO_TOKEN. This metadata mismatch is an incoherence that reduces trust and should be clarified.
!
Instruction Scope
The instructions require network calls to the NemoVideo backend and will transmit user-provided media and launch descriptions to that external service (expected for this skill). They also instruct the agent to read and write ~/.config/nemovideo/client_id and to store an acquired token (NEMO_TOKEN) for the session. There are no instructions to read unrelated system files, but automatic anonymous-token acquisition and storing tokens locally are notable and require explicit user consent because media and possibly metadata will be uploaded to a third party.
Install Mechanism
This is an instruction-only skill with no install spec and no third-party packages to download or execute. That minimizes on-disk installation risk.
!
Credentials
The SKILL.md declares a required credential (NEMO_TOKEN) and a config path ~/.config/nemovideo/, which are proportionate to calling an external API. However the registry-level metadata claims no required env vars or config paths—this contradiction is suspicious. The skill also instructs generating and persisting a client_id and setting NEMO_TOKEN for the session, which gives the skill the ability to authenticate to the remote service on the user's behalf.
Persistence & Privilege
always:false (normal). The skill will create/read files under its own config directory (~/.config/nemovideo/) and may store a session token there or in-session environment state. It does not request system-wide privileges or modify other skills, but writing to the user's home config is persistent and should be disclosed to the user.
What to consider before installing
This skill appears to perform the advertised task (send your description/video to NemoVideo's API and get a produced video), but there are two things to consider before installing: (1) the SKILL.md says it requires a NEMO_TOKEN and writes/reads ~/.config/nemovideo/, while the registry metadata claims no required env/config — ask the author or registry owner to explain and fix that discrepancy. (2) Using the skill will upload your media and launch copy to mega-api-prod.nemovideo.ai (an external service). If your videos or launch details contain sensitive information, do not upload them without reviewing NemoVideo's privacy/security policy. Mitigations: test in a sandboxed environment, create a dedicated account/token for the service (not reuse sensitive credentials), review the skill author's homepage/repo, and confirm exactly what gets uploaded and how long tokens/credits persist. If you need more assurance, request the author to provide clarified registry metadata and an explicit data/privacy statement.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a9hvyrv6y9c8jxnf5qnj6ps83r3sh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments