ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Letter Maker

v1.0.0

A written thank-you note takes 30 seconds to read. A video thank-you creates a memory. Recruiters who send personalized video messages to candidates report 3...

0· 40·1 current·1 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The description describes a cloud video-processing service (background removal, captions, trims, exports). Declaring a primary credential (NEMO_TOKEN) and a config path (~/.config/nemovideo/) is plausible for a third-party API client. However, requires.env is empty while metadata.primaryEnv is set to NEMO_TOKEN — that's an internal inconsistency and should be clarified.
!
Instruction Scope
This is an instruction-only skill, but the SKILL.md contains only marketing and high-level workflow text; it does not specify runtime actions, upload endpoints, or how/where the NEMO_TOKEN or config path would be used. Vague instructions grant the implementer broad discretion and make it impossible to verify what data is sent or stored.
Install Mechanism
No install spec and no code files are present, so nothing is written to disk by an installer. Instruction-only skills are lower risk from install-time code execution.
Credentials
Requesting a single service token for a video-processing API is proportionate to the described functionality. But the metadata lists primaryEnv: NEMO_TOKEN while the declared requires.env array is empty — the mismatch should be resolved. The config path (~/.config/nemovideo/) is consistent with storing credentials or preferences, but its presence means the skill could read or write files in that directory if implemented.
Persistence & Privilege
The skill does not request always: true and is user-invocable with default autonomous invocation allowed. There is no evidence it requests elevated or persistent system-wide privileges.
What to consider before installing
Ask the publisher or maintainer for specifics before installing: 1) What is NEMO_TOKEN (which service) and why is it not listed in requires.env? 2) Exactly which endpoints will uploaded videos be sent to, how long will they be stored, and who can access them? 3) What files are read/written under ~/.config/nemovideo/? 4) Test with non-sensitive videos and a throwaway token first. If you must proceed, only provide a scoped API token that can be revoked, and review privacy and retention policies for the external service.

Like a lobster shell, security has layers — review code before you run it.

latestvk979q385bnng572ctpqfpnx21983xnjn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💌 Clawdis
Primary envNEMO_TOKEN

Comments