Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Dance Video
v1.0.0Turn a single portrait photo of a person into 1080p animated dance videos just by typing what you need. Whether it's animating a photo or clip to make a pers...
⭐ 0· 58·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is an instruction-only wrapper around a remote rendering API (nemovideo.ai). Requesting a NEMO_TOKEN is coherent with that purpose. However the frontmatter metadata in SKILL.md lists a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch is unexplained and could indicate the skill expects to read or write a local config directory even though the top-level manifest does not declare it.
Instruction Scope
The runtime instructions tell the agent to automatically obtain an anonymous token (POST to the external API) if NEMO_TOKEN is not set, create sessions, upload files, stream SSE, poll render status, and return download URLs. Those network actions are consistent with the stated function, but the instructions also say 'Don't display raw API responses or token values to the user,' which encourages hiding credential values from users (reasonable for secrets, but worth noting). The mismatch between 'NEMO_TOKEN required' and an explicit anonymous-token flow (which makes NEMO_TOKEN optional) is an inconsistency in scope. No instructions reference other system files or unrelated environment variables, but the frontmatter's configPaths implies potential file I/O not described in the main instructions.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only. This minimizes local install risk because nothing will be written to disk by an installer, but also means behavior depends entirely on runtime instructions and network calls.
Credentials
Only one credential is declared (NEMO_TOKEN) which is proportional for a remote API service. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) not declared elsewhere; if the skill actually reads/writes that path it would be broader access than the single env var suggests. Also the instructions include an anonymous token acquisition flow, making the requirement for a pre-set NEMO_TOKEN unclear.
Persistence & Privilege
The skill is not always-enabled and does not request persistent elevated privileges. It asks the agent to store session_id and to reuse tokens for subsequent calls (normal ephemeral session behavior). There is no instruction to modify other skills or system-wide settings.
What to consider before installing
This skill sends uploaded images/video to a third-party service (mega-api-prod.nemovideo.ai) for processing and uses a NEMO_TOKEN (or obtains an anonymous token) to authenticate. Before installing or using it: 1) Decide whether you're comfortable sending the images (and any audio) to an external GPU service — avoid uploading highly sensitive photos or PII. 2) Confirm the service domain (nemovideo.ai) is legitimate and review its privacy/TOS if possible. 3) Note the manifest inconsistency: SKILL.md references a local config path (~/.config/nemovideo/) but the registry metadata doesn't — ask the author whether the skill will read/write that directory. 4) Be aware the skill's instructions explicitly hide token/raw responses from users; keep your own credentials separate and avoid pasting long-lived secrets unless you trust the backend. 5) Because this is an instruction-only skill (no code to inspect), prefer to test with non-sensitive images and monitor network activity if you can. If the author or a homepage cannot be verified, exercise extra caution.Like a lobster shell, security has layers — review code before you run it.
latestvk979qrdp0ad7qnh8ftbytvdrex84pt14
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💃 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN