Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Image Editor
v1.0.0Tell me what you need and I'll help you transform any image with precision and speed. This ai-image-editor skill handles everything from background removal a...
⭐ 0· 51·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (image editing) align with the runtime instructions (calls to a cloud vision API, upload endpoints, SSE for streaming). Requesting a NEMO_TOKEN is reasonable for that backend. However the skill's YAML frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — an inconsistency that should be resolved.
Instruction Scope
Instructions include network calls to mega-api-prod.nemovideo.ai (expected), but also say the agent will read the skill's YAML frontmatter and detect install path (e.g., check ~/.clawhub/ or ~/.cursor/skills/). Detecting install path implies reading user filesystem locations that were not declared in the registry metadata. The skill also offers to obtain an anonymous token if NEMO_TOKEN is absent (fine), and will upload user files to the remote API (expected for an editor). Overall the file-system detection and undeclared config path are scope creep and should be declared explicitly.
Install Mechanism
Instruction-only skill with no install script or external downloads — lowest install risk.
Credentials
Only one credential (NEMO_TOKEN) is required, which is proportionate for a hosted image-editing API. But the frontmatter's mention of a config path (~/.config/nemovideo/) suggests the skill might read local Nemo config files or cached tokens — this was not listed in the registry metadata and is not justified in the description.
Persistence & Privilege
always:false and no install-time persistence or system-wide configuration changes are requested. The skill can be invoked autonomously (platform default), which is expected; there is no special 'always' privilege or cross-skill modification described.
Scan Findings in Context
[NO_SCAN_FINDINGS] expected: The regex scanner found no code files to analyze. That is expected for an instruction-only skill, but absence of findings is not proof of safety — the SKILL.md is the primary surface to review.
What to consider before installing
What to consider before installing:
- The skill will send your images and editing requests to https://mega-api-prod.nemovideo.ai — verify you trust that service and its privacy/billing policies before uploading sensitive photos.
- It requires a NEMO_TOKEN (reasonable) but can also obtain an anonymous token automatically; be aware this will cause network calls to acquire and use a token if you haven't set one.
- The SKILL.md indicates it will read its own YAML frontmatter and try to detect install paths (e.g., ~/.clawhub/ or ~/.cursor/skills/) and mentions ~/.config/nemovideo/ — these filesystem reads were not declared in the registry metadata. Ask the publisher to clarify why the skill needs to probe those paths and to explicitly declare any config files it will access.
- Confirm the skill's source/homepage and publisher identity (none provided in registry). Lack of a verifiable source increases risk.
- If you proceed, avoid placing high-privilege or unrelated secrets into NEMO_TOKEN; only provide credentials created specifically for this service.
If you want, I can draft questions to ask the publisher to clarify the config-path mismatch and data-retention policies before you install.Like a lobster shell, security has layers — review code before you run it.
latestvk97eh9wajh2vvh89xjkde32q858420z9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN