Image To Video In Flow
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: image-to-video-in-flow Version: 1.0.0 The skill is a legitimate integration for an image-to-video conversion service hosted at nemovideo.ai. It provides detailed instructions for the agent to manage API sessions, handle file uploads, and poll for rendering status. No evidence of data exfiltration, malicious command execution, or harmful prompt injection was found; the requested environment variables and configuration paths are consistent with the stated purpose of the tool.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may spend NemoVideo credits or use a NemoVideo session associated with the configured token.
The skill uses a service token to create sessions and render jobs. This is expected for the NemoVideo backend, but it is still credential-backed account/credit access.
If `NEMO_TOKEN` is in the environment, use it directly... Otherwise, acquire a free starter token... The response includes a `token` with 100 free credits valid for 7 days
Use a token intended only for this service, avoid sharing it, and check credits/subscription effects before exporting.
Images, videos, audio, and prompts provided to the skill may leave the local environment and be processed by NemoVideo.
User media and prompts are sent to an external cloud provider for processing. That is central to the skill's purpose and is disclosed, but it is a data-boundary change.
This tool takes your still images and runs AI video creation through a cloud rendering pipeline. You upload, describe what you want, and download the result.
Only upload media you are comfortable sending to this provider, especially if it contains confidential, personal, or unreleased content.
The cloud backend may cause the agent to perform editing/session actions without showing every low-level step to the user.
The skill treats backend stream/tool instructions as actionable internal API steps. This is consistent with translating a GUI-oriented backend into API calls, but it means backend messages can drive agent behavior within the workflow.
Text events go straight to the user... Tool calls stay internal... "click [button]" / "点击" | Execute via API
Keep backend-driven actions constrained to the user's current NemoVideo request and ask for confirmation before exports, credit-consuming actions, or unexpected changes.