ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Ai Image To Video

v1.0.0

Tell me what you need and I'll help you bring your still images to life as captivating video content — completely free. This free-ai-image-to-video skill tra...

0· 45·0 current·0 all-time
by@linmillsd7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description match the actions described in SKILL.md (session creation, uploads, SSE generation, rendering). Requesting a NEMO_TOKEN is appropriate for a hosted video generation API. However, the SKILL.md frontmatter includes a required configPath (~/.config/nemovideo/) while the registry metadata shown to the scanner lists no required config paths — this mismatch should be reconciled.
Instruction Scope
Runtime instructions stay largely within the stated purpose (create session, upload user image files or URLs, stream generation, poll for render). The skill does instruct the agent to read or check filesystem paths to detect install platform (e.g., ~/.clawhub/, ~/.cursor/skills/) and to reference this file's YAML frontmatter for attribution; these filesystem checks are not strictly necessary for the core feature and expand the scope of what the agent will inspect.
Install Mechanism
No install spec and no code files are present (instruction-only). That minimizes disk-write/installation risk.
Credentials
The single required environment variable NEMO_TOKEN is proportional to a networked API service. The metadata also declares a config path (~/.config/nemovideo/) which isn't consistently reflected in the registry summary — this mismatch is unusual and worth clarifying before granting filesystem/config access.
Persistence & Privilege
always:false and no persistence/install steps are present. The skill does not request elevated/system-wide privileges or to modify other skills.
What to consider before installing
This skill appears to actually implement an image→video API and only asks for a single NEMO_TOKEN, which is reasonable for this purpose. Before installing or providing credentials: (1) confirm the API domain (mega-api-prod.nemovideo.ai) is the legitimate service you expect; (2) if you don't trust that service, don't set NEMO_TOKEN in your environment — the skill can request an anonymous token, but that still makes network calls; (3) note the skill may check home-directory paths to detect platform and may access files you instruct it to upload; only upload images you control and avoid pointing it to sensitive local paths; (4) ask the publisher to resolve the metadata inconsistency about ~/.config/nemovideo/ so you know whether local config files will be accessed. If you need higher assurance, request source code or an official homepage before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk974z0dfw7wj79jsfs4z43vh9d84eznw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments