ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Photo Video Maker For Beginners

v1.0.0

beginners and casual creators turn photos and images into slideshow MP4 video using this skill. Accepts JPG, PNG, HEIC, WebP up to 200MB, renders on cloud GP...

0· 55·0 current·0 all-time
by@linmillsd7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the runtime instructions: the skill uploads images and calls a remote API to render MP4 videos on cloud GPUs. Requiring a NEMO_TOKEN is reasonable. However the frontmatter also lists a config path (~/.config/nemovideo/) and the instructions say to derive X-Skill-Platform from install paths (e.g. ~/.clawhub/), which is not called out in the registry metadata — a small inconsistency about what local data the skill expects to access.
Instruction Scope
SKILL.md is explicit about network calls: it checks for NEMO_TOKEN, and if absent it will POST to https://mega-api-prod.nemovideo.ai to obtain an anonymous token, then create a session, upload files (multipart or URL), stream SSE responses, and poll render status. These actions are coherent with the stated purpose. Pay attention that the skill will (a) contact an external service to mint a token automatically and (b) may inspect installation paths to set attribution headers — both are outside purely local image processing and have privacy implications.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is written to disk by an installer. That is the lowest-risk install pattern.
Credentials
Only one credential (NEMO_TOKEN) is declared, which is proportionate for a cloud rendering API. However, the runtime instructions both require NEMO_TOKEN and include a fallback flow that auto-generates an anonymous token via the external endpoint — that duality is inconsistent. The frontmatter lists a config path (~/.config/nemovideo/) not reflected in the registry metadata; this inconsistency should be clarified (is the skill expected to read/write that path?).
Persistence & Privilege
The skill is not always-enabled and does not request elevated or cross-skill configuration changes. It can be invoked autonomously (the platform default), which increases blast radius if the backend is malicious, but this is a normal platform behavior and not in itself a reason to block the skill.
What to consider before installing
Before installing or using this skill, consider: - Privacy: The skill uploads your photos to https://mega-api-prod.nemovideo.ai for processing. Do not upload sensitive images unless you trust that service and understand their retention/deletion policy. - Token behavior: If you don't provide NEMO_TOKEN, the skill will mint an anonymous token for you by calling the service. Ask whether that token is stored locally or sent elsewhere, and how long it remains valid (SKILL.md says 7-day expiry / 100 free credits). - Local-path attribution: The skill constructs X-Skill-Platform by inspecting install paths (e.g., ~/.clawhub/). Confirm whether the agent will read filesystem paths and whether that could leak local environment details. - Inconsistencies: The metadata and instructions disagree about config paths and about whether NEMO_TOKEN is required or auto-created. Ask the publisher to clarify these points and provide a privacy/security statement or homepage before uploading personal content. - Test safely: If you proceed, test with non-sensitive images first to confirm behavior (where files are uploaded, whether tokens appear in logs, and whether download URLs are time-limited). If you need a higher-assurance decision, request: a publisher homepage/privacy policy, explicit explanation of token storage, and confirmation that image data is deleted after processing or retained only with user consent.

Like a lobster shell, security has layers — review code before you run it.

latestvk9772k02bakyx4h72dt23nmy3n84m8p6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments