ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Recruitment Video Maker — Create Job Posting and Employer Brand Videos for Hiring Managers and HR Teams

v1.0.0

Your job posting has been live for three weeks. You have 47 applications. Twelve are remotely qualified. Four responded to the first interview request. Two s...

0· 27·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description describe creating recruitment videos and the SKILL.md shows exactly that: POSTing footage and job/culture data to a NemoVideo API. Requiring a single NEMO_TOKEN is appropriate for this purpose.
Instruction Scope
Runtime instructions include a curl example that will upload footage URLs and role/culture text to https://mega-api-prod.nemovideo.ai using NEMO_TOKEN. That is consistent with the stated purpose, but the instructions do not mention data handling, retention, or privacy. Uploading video footage and hiring data to a third party can include sensitive or proprietary content — the skill gives no guidance about consent or what the service does with uploaded media.
Install Mechanism
This is instruction-only with no install spec and no code files, so nothing is written to disk by the skill itself. Low installation risk.
!
Credentials
The skill declares a single required env var (NEMO_TOKEN) which matches the curl example. However, SKILL.md metadata also lists a config path (~/.config/nemovideo/) while the registry summary reported 'Required config paths: none'—an inconsistency. If the skill actually reads that config path, it could access local files; that possibility is not documented in the instructions.
Persistence & Privilege
always is false and the skill does not request installation or system-wide privileges. The agent may call the external API autonomously when invoked (disable-model-invocation is false) — this is the platform default but means the agent could send data to the external service when the skill runs.
Scan Findings in Context
[no_findings] expected: No code files were present so the regex scanner had nothing to analyze. This is expected for an instruction-only skill, but also means we cannot inspect implementation details.
What to consider before installing
This skill will send your footage and hiring details to an external NemoVideo API using a NEMO_TOKEN. Before installing: (1) verify you trust NemoVideo (confirm the API domain, company, and privacy/data-retention practices) and avoid uploading any footage or candidate data you do not own or have consent to share; (2) confirm the exact meaning and scope of NEMO_TOKEN (use a scoped or disposable token if possible); (3) ask the publisher to clarify the discrepancy about ~/.config/nemovideo/ (is the skill expected to read local config files?), and request explicit data-handling statements; (4) if you need stronger guarantees, decline installing until the skill provides a homepage/source, privacy policy, and clearer metadata. If any of these questions are unresolved, treat the skill with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ew9hn41mk5bsa029n9an939841a95

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎯 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments