ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Yoga Class Video

v1.0.0

Your yoga studio has morning flow, evening yin, and a Sunday restorative class that sells out every week through word of mouth alone — but your Instagram has...

0· 22·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description describe producing promo videos and the SKILL.md shows a single API call to a nemo video service with an Authorization bearer token — this is coherent. However, the SKILL.md metadata references a config path (~/.config/nemovideo/) while the registry metadata listed no required config paths, creating an inconsistency about whether the skill expects local config files.
Instruction Scope
The runtime instructions are minimal and scoped: a single curl POST to https://mega-api-prod.nemovideo.ai/api/v1/generate using $NEMO_TOKEN and user-supplied footage URLs and descriptors. The instructions do not ask the agent to read unrelated system files or other environment variables. Note: the sample payload will transmit user footage URLs and class metadata to an external API (privacy concern).
Install Mechanism
No install spec and no code files — instruction-only skill. Nothing is written to disk by the skill itself from what is provided.
Credentials
The single required env var (NEMO_TOKEN) is proportionate for authenticating to the external API. However, SKILL.md metadata mentions a config path (~/.config/nemovideo/) that the registry listing did not; it's unclear whether the agent will read local config files. Also, providing the token grants the skill the ability to call the external API with that token — consider the token's scope and lifetime.
Persistence & Privilege
Skill is not force-included (always: false) and uses normal model invocation. There are no install steps that persist files or change other skills or system settings in the provided materials.
What to consider before installing
This skill appears to call an external NemoVideo API and requires a single auth token. Before installing: 1) Verify the origin/provider (there's no homepage and source is unknown); confirm nemo video's legitimacy and privacy policy. 2) Confirm what ~/.config/nemovideo/ (mentioned in SKILL.md metadata) contains and whether the skill will read it — ask the publisher to clarify the mismatch with registry metadata. 3) Only supply an API token with minimal scope and consider using a short-lived or revocable token. 4) Be aware that any footage or URLs you provide will be transmitted to mega-api-prod.nemovideo.ai — do not upload sensitive personal data. 5) Test first with non-sensitive sample footage. If you cannot verify the provider or the config path behavior, avoid installing or supplying your real token.

Like a lobster shell, security has layers — review code before you run it.

latestvk976jkw5s2825ecjh70f001fax848f80

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧘 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments