Best Image To
AdvisoryAudited by VirusTotal on Apr 20, 2026.
Overview
Type: OpenClaw Skill Name: best-image-to Version: 1.0.0 The skill provides a legitimate interface for converting images to videos using the nemovideo.ai cloud service. It handles authentication via a NEMO_TOKEN environment variable or by automatically acquiring an anonymous token from the backend. The instructions in SKILL.md are focused on session management, file uploads, and monitoring the rendering process, with no evidence of data exfiltration, unauthorized command execution, or malicious prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Files or URLs the user provides for conversion may be sent to the NemoVideo cloud service.
The skill can direct uploads of user-provided files or URLs to the remote backend. This is central to image/video conversion, but it is still a meaningful capability.
**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Upload only files you intend to process with this service, and avoid private or sensitive media unless you trust the provider.
The backend session and render jobs are associated with the NEMO_TOKEN used by the skill.
The skill uses a provider token for authentication and may obtain an anonymous token automatically. This is expected for the backend integration and is disclosed.
**Authentication**: Check if `NEMO_TOKEN` is set in the environment... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... The response `data.token` is your NEMO_TOKEN — 100 free credits, valid 7 days.
Use a dedicated token for this service where possible, do not share token values, and rotate or remove the token if you no longer use the skill.
Prompts, uploaded media, and generated video state may be processed outside the local environment.
The artifact clearly discloses that rendering is performed by a remote service. The provided artifacts do not describe retention, privacy terms, or deletion controls for uploaded media.
The video creation runs on remote GPU nodes — nothing to install on your machine... All rendering happens server-side.
Review the provider’s privacy and retention practices before uploading confidential, personal, or regulated content.
It may be harder to independently verify who maintains the skill or the associated service.
The skill has limited provenance information in the supplied metadata. There is no local code or install script, so this is a transparency note rather than a concrete unsafe behavior.
Source: unknown; Homepage: none
Install only if you are comfortable with the listed publisher and the disclosed NemoVideo API endpoint.