ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Avatar Icon Generator

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — generate a circular avatar icon from my photo for a profile picture — and...

0· 50·0 current·0 all-time
by@linmillsd7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and runtime instructions consistently describe a cloud avatar/video rendering pipeline that uses a NEMO_TOKEN and the nemovideo.ai API. Requiring a NEMO_TOKEN is proportionate. Small inconsistency: registry-level requirements listed no config paths, but the SKILL.md metadata declares a config path (~/.config/nemovideo/). This mismatch should be explained by the publisher.
Instruction Scope
SKILL.md confines actions to the nemovideo.ai API (session creation, uploads, SSE, render/start endpoints). It also instructs generating anonymous tokens when no NEMO_TOKEN is present and to detect an install path to set an attribution header. The install-path detection implies the agent might inspect environment or filesystem paths to choose X-Skill-Platform — this is not strictly necessary for functionality and broadens scope.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk (nothing is written to disk by an installer).
Credentials
Only NEMO_TOKEN (primary credential) is required, which is expected for this API. However, the skill also instructs obtaining an anonymous token via the API when NEMO_TOKEN is missing, which is reasonable but means the skill will perform network auth flows. The earlier-mentioned metadata vs registry mismatch about configPaths is another small proportionality oddity.
Persistence & Privilege
No elevated privileges requested; always is false and the skill does not request to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not by itself a problem.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contained unicode control characters. These are not necessary for a normal API-integration instruction file and are sometimes used to hide content or evade scanners. This increases suspicion and warrants closer human review of the full SKILL.md (including any hidden characters).
What to consider before installing
This skill appears to implement a legitimate avatar/video rendering workflow against nemovideo.ai and only asks for a single service token (NEMO_TOKEN), which is appropriate. However: 1) do not provide long-lived or high-privilege credentials unless you trust the publisher — prefer a scoped or temporary token. 2) Ask the publisher why the SKILL.md includes a config path while the registry metadata did not; inconsistencies may indicate sloppy packaging or deliberate hiding. 3) The SKILL.md contains unicode control characters (hidden characters) — request the full, plain-text SKILL.md and inspect for hidden or obfuscated instructions before installing. 4) Because the skill can acquire anonymous tokens and will call external network endpoints, consider testing it in a restricted/sandboxed environment and monitor outbound network traffic and what files it reads. 5) If you plan to use sensitive images, verify the service's privacy policy and where generated media/download URLs are stored or shared.

Like a lobster shell, security has layers — review code before you run it.

latestvk979e2c1ke9t5t9qrrfb1s9jms84qs89

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧑‍🎨 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments