ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Best Gif Compressor

v1.0.0

Cloud-based best-gif-compressor tool that handles reducing GIF file size for web and social sharing. Upload GIF, MP4, WebM, APNG files (up to 200MB), describ...

0· 78·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared requirements (NEMO_TOKEN, a nemovideo config path) and the API endpoints all align with a cloud GIF/video compression service, so the requested capabilities are plausible for the described purpose. However the package metadata lists a required config path (~/.config/nemovideo/) and a required env var (NEMO_TOKEN) while the runtime instructions describe obtaining an anonymous token automatically — this mismatch reduces trust.
!
Instruction Scope
SKILL.md instructs the agent to accept user files (up to 200MB) and upload them to an external domain (mega-api-prod.nemovideo.ai), create sessions, stream SSE, and poll render endpoints — all expected for a cloud render tool. The concerning parts: (1) the document both requires NEMO_TOKEN in metadata and describes auto-generating one if missing (contradiction), and (2) it contains logic to post for tokens/credentials and to derive headers from local install paths, which increases the range of system data the agent may inspect. The instructions do not ask for unrelated system files, but they do direct transmission of user files and session tokens to a third-party service.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk install mechanism. Nothing is written to disk by an install step.
Credentials
Only one credential is declared (NEMO_TOKEN), which is proportionate for a cloud API. However the metadata also lists a config path (~/.config/nemovideo/) that could expose stored credentials/config — the SKILL.md does not clearly justify reading that path. Also the skill will attempt to obtain an anonymous token itself if NEMO_TOKEN is not set, which changes the threat model (agent will make outbound auth requests and retain tokens).
Persistence & Privilege
The skill is not marked always:true, uses the default autonomous-invocation behavior, and does not request persistent system-wide privileges or modifications to other skills. No privileged persistence is requested.
What to consider before installing
This skill appears to be a cloud-based GIF-to-video compressor and will upload whatever files you send to https://mega-api-prod.nemovideo.ai. Before installing or using it: (1) consider privacy — do not upload sensitive images or videos unless you trust the service and its retention policy; (2) note the metadata claims NEMO_TOKEN is required but the instructions will fetch an anonymous token if none is present — decide whether you prefer supplying your own API token or allowing the agent to obtain one automatically; (3) there is no listed source or homepage for the project — verify the service domain and operator independently if possible; (4) be aware the agent may inspect install paths/config (~/.config/nemovideo and install path detection) to populate headers — remove any sensitive credentials from those locations if you do not trust the skill. If you need stronger assurance, request the skill author/source, a privacy/retention policy, or a signed binary before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk97991v1fngj2kgyhqhdadw6ss84jdzn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🗜️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments