ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tech News Video

v1.0.4

Tech News Video Maker — Create Technology News and Analysis Videos.

0· 77·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the idea of a video-making assistant. Requesting a single platform token (NEMO_TOKEN) and a config path (~/.config/nemovideo/) is reasonable for an API-based video service, but the SKILL metadata declares primaryEnv=NEMO_TOKEN while the metadata's requires.env is empty — that mismatch is inconsistent and should be explained.
Instruction Scope
The provided SKILL.md content (templates/scripts for video segments) appears to be instruction-only and focuses on generating video scripts and structure. However, the SKILL.md excerpt does not show explicit runtime steps for calling an external rendering API, uploading assets, or reading the declared config path. If the skill will use NEMO_TOKEN or read ~/.config/nemovideo/, the runtime instructions should clearly state when and how those are used; their absence is a gap.
Install Mechanism
No install spec and no code files — instruction-only — so nothing is downloaded or written to disk by an installer. This is the lowest-risk install model.
Credentials
Requesting a single platform token (NEMO_TOKEN) is proportionate for a service that likely uploads/generates videos. However: 1) requires.env is empty while primaryEnv is set (incoherent), and 2) the declared config path (~/.config/nemovideo/) implies filesystem access to user config. Both should be clearly justified in the SKILL.md (what is read, why, and when).
Persistence & Privilege
The skill is not always:true and has default autonomous invocation settings. It does not request elevated persistence or attempt to modify other skills/configs (no install or code present), so persistence/privilege level is normal.
What to consider before installing
This skill mostly provides scripted video templates and declares a platform token and config path, but the runtime behavior is not fully spelled out. Before installing: 1) Ask the publisher how/when NEMO_TOKEN is used and which network endpoints receive it; prefer short-lived or least-privilege tokens. 2) Ask why the skill needs ~/.config/nemovideo/ and what files it would read. 3) If you plan to provide NEMO_TOKEN, verify the official homepage/repository and review any code or API docs so you know exactly what the token grants. 4) Because this is instruction-only (no code to inspect), treat the token as sensitive — only provide it if you trust the vendor and have verified where data goes. 5) If possible, run the skill with a limited-test token or account first and monitor outgoing requests.

Like a lobster shell, security has layers — review code before you run it.

latestvk9742vcc8pg4efdxg7atsey22183ts6h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📰 Clawdis
Primary envNEMO_TOKEN

Comments