ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Best Image To Video Ai Free

v1.0.0

Cloud-based best-image-to-video-ai-free tool that handles converting still photos into short animated videos for social media. Upload JPG, PNG, WEBP, HEIC fi...

0· 58·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description align with the runtime instructions (upload images, request cloud renders, return MP4). Requesting a single NEMO_TOKEN credential is reasonable for a cloud service. However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that the registry metadata earlier said was 'none' — an inconsistency between manifest and runtime instructions.
!
Instruction Scope
The instructions direct the agent to automatically obtain an anonymous token from https://mega-api-prod.nemovideo.ai if NEMO_TOKEN is not present, create sessions, store session_id, and upload user files (via multipart or URL). They also instruct the agent not to display raw API responses or token values to the user, and to 'process internally' some SSE tool call results. Those behaviors are coherent with a cloud render service but give the skill discretion to perform network calls, persist tokens, and hide raw request/response details from the user — which increases the need for trust in the remote service.
Install Mechanism
No install spec and no code files — instruction-only skill. This is low-risk from an installation perspective (nothing is written to disk by the registry). All execution happens via network calls at runtime.
Credentials
Only NEMO_TOKEN is declared as required, which is proportionate for a remote API. The SKILL.md also references a config path in its frontmatter (~/.config/nemovideo/) and requires reading an 'install path' to set X-Skill-Platform, creating a small additional scope (agent path/config access) that wasn't listed in the registry metadata. The token auto-generation flow creates/stores credentials that the agent will use; this is expected but worth awareness.
Persistence & Privilege
always:false and normal model invocation are used. The skill stores an ephemeral anonymous token and session_id for service usage, which is expected for session-based cloud APIs. It does not request elevated platform-wide privileges or modify other skills' configs.
What to consider before installing
This skill appears to implement a cloud image→video workflow and will upload files and make network calls to mega-api-prod.nemovideo.ai. Before installing: (1) confirm you trust the remote domain and its privacy policy (your images will be sent there); (2) note the skill will auto-request and store an anonymous NEMO_TOKEN if you don't supply one — consider whether you want the agent to create credentials automatically; (3) verify the manifest inconsistency (SKILL.md mentions ~/.config/nemovideo/ while registry metadata lists none) and ask the publisher to clarify why a config path is required; (4) avoid uploading sensitive images until you confirm data retention and access practices. If you want to proceed, prefer providing your own NEMO_TOKEN explicitly rather than allowing automatic token generation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b59m49h90spt1yxmg2fat2s84jcc4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments