ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Avatar Generator

v1.0.0

Tired of using the same boring profile pictures or spending hours in design tools just to get a decent avatar? The ai-avatar-generator skill transforms your...

0· 70·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description match the runtime instructions (calls to a Nemovideo avatar generation backend). However the YAML frontmatter in SKILL.md declares a config path (~/.config/nemovideo/) while the registry metadata above lists no required config paths — an inconsistency that should be clarified.
!
Instruction Scope
The SKILL.md directs the agent to: check NEMO_TOKEN, auto-obtain an anonymous token via a POST call if missing, create and store a session_id, detect the install path (by reading filesystem locations like ~/.clawhub/ or ~/.cursor/skills/), and upload local files (multipart with a local path). These filesystem reads and unspecified persistent storage of tokens/session IDs are outside a minimal 'generate an avatar' spec and are not fully described (where/how the session/token is stored, retention policy). The instructions also explicitly tell the agent not to display tokens — implying they will be stored/used — which increases risk if storage location or scope isn't specified.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That lowers installation risk.
Credentials
Only one environment credential is declared (NEMO_TOKEN), which fits the API usage. But the skill will auto-request an anonymous token if NEMO_TOKEN is unset, reducing the need for a pre-provided token — and the frontmatter also lists a config path (~/.config/nemovideo/) that was not reflected in the registry metadata. The required env/paths should be consistent and documented (and justified) before trusting the skill.
Persistence & Privilege
always:false (no forced global activation) and autonomous invocation is default (expected). The runtime asks the agent to 'store the returned session_id for subsequent requests' but doesn't specify where or how long. Combined with filesystem access to detect install path and a declared config directory, this indicates the skill may persist credentials or session state on disk — a moderately sensitive capability that should be explicitly documented and user-consented.
What to consider before installing
This skill appears to do what it claims (call a Nemovideo backend to generate avatars), but you should verify a few things before installing: 1) Clarify where the skill will store session IDs / tokens (memory vs disk) and for how long — persistent storage on disk can expose tokens. 2) Ask why it needs to read install paths and ~/.config/nemovideo/ (the registry metadata and SKILL.md disagree); if you don't want filesystem access, decline. 3) Consider supplying your own NEMO_TOKEN instead of letting the skill obtain anonymous tokens automatically. 4) Review privacy implications of uploading personal photos to an external API (check the provider's privacy/retention policy). 5) If you are uncomfortable with automatic network calls or unspecified persistent storage, do not enable autonomous invocation or avoid installing the skill until these items are clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk9779c8gaf40vqajzeyq1g4bcn849r6d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎭 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments