Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Photo Editing
v1.0.0Turn ordinary snapshots into stunning visuals with intelligent ai-photo-editing that handles retouching, color grading, background removal, and object cleanu...
⭐ 0· 34·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is labelled and marketed as 'photo editing', but the runtime instructions, endpoints, and export flow reference video-specific APIs (e.g., upload-video, render/proxy/lambda producing mp4) and streaming SSE for long-running jobs. That mismatch between name/description and the actual API surfaces is unexpected and could mean the skill is broader than advertised.
Instruction Scope
SKILL.md instructs the agent to (a) read the skill frontmatter and detect install paths (~/.clawhub, ~/.cursor/skills) to set X-Skill-Platform, (b) read local file paths to upload files, and (c) contact remote APIs and stream events. The instructions also say to 'keep technical details out of the chat', which reduces visibility into background activity. Reading install paths and home-dir config and uploading local files are within a media skill's remit but expand the agent's access surface and should be explicit to users.
Install Mechanism
No install spec or code files are present (instruction-only). Nothing is downloaded or written to disk by an installer step, which minimizes installation-time risk.
Credentials
The skill only declares one required credential (NEMO_TOKEN) which is appropriate for a hosted API service. It also declares a config path (~/.config/nemovideo/) and the SKILL.md instructs creating/using an anonymous token when NEMO_TOKEN is absent — acceptable but noteworthy because local config and token storage could contain persistent secrets and the skill probes filesystem locations to derive platform attribution.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges in metadata. Autonomous invocation is allowed (default) but is not combined with 'always: true' or other high-privilege claims.
What to consider before installing
This skill appears to be a cloud-backed media editor that will upload your files to https://mega-api-prod.nemovideo.ai and needs a NEMO_TOKEN (or it will obtain an anonymous token automatically). Before installing: (1) confirm whether you are comfortable sending images/videos to that remote service and review its privacy/data-retention terms, (2) ask the publisher for a homepage or source (none is provided), (3) verify why the skill advertises 'photo' editing while its API references video rendering and uploads, (4) be aware the skill may read ~/.config/nemovideo/ and detect install paths in your home directory (these are small but real filesystem accesses), and (5) consider providing a scoped/limited token rather than a high-privilege secret. If you need stronger assurance, request the service's privacy policy, exact token scopes, and a publisher/source repository before proceeding.Like a lobster shell, security has layers — review code before you run it.
latestvk979z56az3jzc728v0gvc65rt1843z64
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN