Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Fast Photo Video Maker
v1.0.0social media creators turn photos and images into slideshow video MP4 using this skill. Accepts JPG, PNG, HEIC, WebP up to 200MB, renders on cloud GPUs at 10...
⭐ 0· 39·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (turn images into slideshow MP4 on cloud GPUs) align with the requested NEMO_TOKEN and the documented API endpoints on mega-api-prod.nemovideo.ai. One minor inconsistency: the registry metadata listed no required config paths, but the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/). This is likely bookkeeping/informational rather than a sign of unrelated capability.
Instruction Scope
The SKILL.md explicitly instructs the agent to use NEMO_TOKEN (or obtain an anonymous token via an API call) and to create sessions, upload files, poll render status, and handle SSE streams — all expected for a remote render service. Two items to note: (1) uploads include examples using multipart file paths (‑F "files=@/path"), which implies the agent may attempt to access local file paths when uploading — this is necessary for sending local images but means the agent could try to read filesystem paths the user provides; (2) the skill asks to read its YAML frontmatter and detect install path to set attribution headers, which requires inspecting the skill file and/or agent install path (fairly benign but broader file-system queries than strictly sending images). The instructions do not request unrelated environment variables or other system secrets.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk install footprint. There are no downloads, package installs, or archive extracts.
Credentials
Only a single credential (NEMO_TOKEN) is required, which is proportional to a service that needs a bearer token for authenticated render jobs. The skill also supports obtaining an anonymous token via the service API if no token is provided. No unrelated secrets or multiple service credentials are requested.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. It only documents runtime behavior (session creation, polling, SSE), which is normal for an API-backed skill.
Assessment
This skill appears to be what it says: a cloud-rendering pipeline that needs a single NEMO_TOKEN or will fetch a short-lived anonymous token and will send your images to mega-api-prod.nemovideo.ai for processing. Before installing or invoking: (1) don’t provide highly sensitive images or secrets to the skill without verifying the backend — uploads are sent to an external service; (2) if you don’t want to share a permanent token, omit NEMO_TOKEN and let the skill use the anonymous-token flow (returns short-lived credits); (3) be aware the agent may try to read local file paths you provide to upload images and may inspect the skill file/install path for attribution headers — this is expected but worth noting; (4) the SKILL.md mentions a config path in its metadata that the registry listing did not — minor mismatch but likely informational. If you need stronger assurance, ask the publisher for a privacy/data-retention policy or test with non-sensitive sample images first.Like a lobster shell, security has layers — review code before you run it.
latestvk977qse1ztpvw06gkczmkr1sj984najj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN