ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Split Screen Video Maker

v1.0.0

You have a before-and-after product demonstration and a side-by-side competitor comparison that both need to ship by end of day. Split Screen Video Maker han...

0· 41·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Functionally, a video-rendering skill can legitimately call an external service or a local renderer. The SKILL.md describes uploading clips and having 'NemoVideo handle' rendering, which is consistent with needing a service token. However the registry metadata shows an unusual mismatch: requires.env is empty while primaryEnv is set to NEMO_TOKEN, and the skill has no homepage or source to verify what NemoVideo is. That inconsistency reduces confidence that all declared requirements are transparent and proportional.
Instruction Scope
The SKILL.md itself stays within the expected scope: describing layouts, asking for clips, and describing output options. It does not instruct the agent to read arbitrary host files or other credentials. However the embedded metadata declares a config path (~/.config/nemovideo/) which implies the agent may read local configuration; the instructions do not explain what is read from that path or why. The gap between prose and metadata is a scope/clarity issue.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not write binaries or download archives during installation — low install-mechanism risk. The scanner had no files to analyze.
!
Credentials
A single service token (NEMO_TOKEN) is plausible for a cloud rendering backend, but the manifest is inconsistent: required env list is empty while primaryEnv is declared. The declared config path and a named token imply access to secrets/config stored on the host; that access should be clearly explained. Because the skill lacks a homepage/source and doesn't describe how or where media and credentials are used, requesting a token (or implying reading ~/.config/nemovideo/) is disproportionate without further detail.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system privileges. It appears able to be invoked by the agent as normal, which is expected for skills. There is no evidence it will modify other skills or system-wide settings.
What to consider before installing
This skill could be legitimate (it likely uses a 'NemoVideo' service) but there are unknowns you should resolve before installing: 1) Ask who operates 'NemoVideo' and request a homepage or documentation link to verify the service and its privacy/retention policies. 2) Confirm why a NEMO_TOKEN is needed and whether the skill will upload your video files to an external API; if so, ask for the exact endpoint and data handling policy. 3) Because the metadata references ~/.config/nemovideo/, inspect that folder (or deny access) and avoid providing high-privilege tokens you wouldn't want exfiltrated. 4) If you must use it, prefer a scoped service token with limited lifetime/permissions and test in an isolated environment first. If the publisher cannot explain the token/config usage and provide verifiable documentation, treat the skill as risky and avoid providing secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk975mtjqqrcmpeja4th8n32qn983w5jh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Primary envNEMO_TOKEN

Comments