Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Image Video
v1.0.0convert images into compiled video file with this skill. Works with JPG, PNG, WEBP, HEIC files up to 200MB. marketers use it for turning a set of photos into...
⭐ 0· 59·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (convert images to video) aligns with the API endpoints and actions described (upload, render, export). However the registry metadata claims no required config paths while the SKILL.md metadata lists ~/.config/nemovideo/, and the skill declares NEMO_TOKEN as required yet the instructions include an anonymous-token acquisition flow if NEMO_TOKEN is missing — this is an internal inconsistency rather than outright mismatch of purpose.
Instruction Scope
The instructions tell the agent to upload local files (multipart uploads using file paths) and to POST/long-poll to an external SSE endpoint. That is expected for a cloud render service, but the skill also instructs the agent to fetch an anonymous token from the backend if NEMO_TOKEN isn't present (i.e., create credentials on-the-fly). The instructions do not ask for unrelated system files, but they do require access to arbitrary user-selected local files to upload and to write/read a config directory (~/.config/nemovideo/). The token acquisition flow and storage behavior are not fully specified (where/how tokens are persisted), which enlarges the operational scope.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk. Nothing is downloaded or written by an installer step according to the registry metadata.
Credentials
Only one credential (NEMO_TOKEN) is declared, which is proportionate for a backend API. But SKILL.md instructs generating an anonymous token itself if NEMO_TOKEN is missing, and metadata in the skill file mentions a config path (~/.config/nemovideo/) despite registry metadata claiming none. These mismatches (declared required env var vs. self-provisioning; configPaths present only in SKILL.md) are inconsistent and increase uncertainty about where secrets are stored and whether the agent will create and persist tokens without explicit user consent.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges or modify other skills. It will create sessions and use session tokens for API calls (normal for a cloud service). Autonomous invocation is enabled by default (expected); that combined with the token-creation behavior means the skill could make network calls on demand, so users should consider that when enabling autonomous actions.
What to consider before installing
This skill will send images and session data to an external service at mega-api-prod.nemovideo.ai and may create or store a NEMO_TOKEN in a config directory. Before installing: (1) Decide whether you're comfortable uploading your images to that third-party domain — do not use it for sensitive images. (2) Note the registry metadata and SKILL.md disagree about config paths and token handling: the skill both declares NEMO_TOKEN as required and also describes obtaining an anonymous token itself — ask the author or avoid the skill if you want explicit control over credentials. (3) If you try it, prefer to supply a token you control (not rely on anonymous provisioning), and watch for any files created under ~/.config/nemovideo/. (4) Because the skill can be invoked autonomously and will make network calls, restrict its use if you do not want automatic uploads or background renders. If you need higher assurance, request source or a privacy/security policy from the publisher or avoid using the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97atg5e8spx9jhphxn21xpqdx84qyh6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN