ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Image To Video Dance

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — animate this photo so the person is dancing to the uploaded beat — and get...

0· 43·0 current·0 all-time
by@dsewell-583h0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to animate images into dance videos and requires a single service token (NEMO_TOKEN) and cloud API calls — that fits the stated purpose. However, the SKILL.md frontmatter references a local config path (~/.config/nemovideo/) while the registry metadata earlier listed no required config paths, creating an inconsistency about whether the skill expects to store or read local config.
!
Instruction Scope
The runtime instructions instruct the agent to check the environment for NEMO_TOKEN and, if missing, call an external API to obtain an anonymous token. Upload instructions allow multipart file uploads using local file paths (e.g., -F "files=@/path"), which implies the agent might read arbitrary local files if it has filesystem access. There are no explicit guardrails in the instructions to restrict uploads to user-provided images only, so a misconfigured agent could inadvertently upload other local files.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — nothing is written to disk by a package installer. That minimizes install-time risk.
Credentials
Only one environment variable is required (NEMO_TOKEN), which is appropriate for a cloud API client. The skill also describes obtaining an anonymous NEMO_TOKEN by POSTing to an external endpoint; that behaviour is consistent with providing temporary credentials but may result in tokens being created and (per frontmatter) possibly stored under ~/.config/nemovideo/. The registry metadata conflictingly listed no config paths, so it's unclear whether the skill will persist tokens locally.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. It does not instruct modifying other skills or global agent settings. Persistent storage is implied (config path) but not explicitly required in the registry metadata.
What to consider before installing
This skill generally does what it claims (upload a photo, call a cloud API, and return an animated video) and requests only a NEMO_TOKEN. Before installing or enabling it: - Remember this skill sends images (and potentially any file path the agent can read) to https://mega-api-prod.nemovideo.ai — do not use it with sensitive images or files you don't want uploaded. - The skill will create or use a NEMO_TOKEN; if you prefer control, provide your own token rather than letting the skill auto-create one. Auto-created tokens are described as temporary (7 days, 100 credits). - The SKILL.md allows uploads by local filesystem path; ensure your agent is not granted broad filesystem access if you want to prevent accidental exfiltration of other local files. - The registry metadata lacks a homepage and the source is unknown; that increases operational risk — prefer skills with documented vendors or inspect logs/network traffic to confirm only expected API endpoints are used. If you want to proceed, limit the agent's filesystem permissions, avoid supplying secrets in the same environment, and only upload images you are comfortable sending to an external service.

Like a lobster shell, security has layers — review code before you run it.

latestvk972tg50qhcespf4hme7d3npgh84rdd6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💃 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments