Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Whisk Ai
v1.0.0Drop an image and describe a new scene — whisk-ai blends your visual inputs with creative AI generation to produce entirely fresh imagery. Built around Googl...
⭐ 0· 39·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (image remixing) aligns with the runtime behavior: uploading images, creating sessions, and requesting generations from a remote API. However: the skill claims to be built around Google's Whisk/Imagen tech while all network calls target mega-api-prod.nemovideo.ai (an unknown domain) — that mismatch is unexplained. The SKILL.md frontmatter also declares a config path (~/.config/nemovideo/) that the registry metadata did not list, and the skill has no public homepage or source repository to validate the backend claims.
Instruction Scope
Instructions are explicit about creating a session, uploading images, using SSE for streaming responses, polling for export, and including attribution headers. These are in-scope for an image-generation skill. It also instructs detecting install path and reading this SKILL.md frontmatter at runtime to fill attribution headers (requires reading the agent's environment/files). The skill will POST user images and prompts to the external nemovideo.ai API — this is expected for cloud processing but has privacy implications (user uploads leave the local environment).
Install Mechanism
This is instruction-only with no install spec and no code files, so nothing is written to disk by an installer. Lowest install-surface risk.
Credentials
Only NEMO_TOKEN is required, which is appropriate for a remote API. However, the SKILL.md metadata also mentions a config path (~/.config/nemovideo/) not declared elsewhere in the registry metadata, creating an inconsistency: either the skill expects to read/write that config directory (broader access than declared) or the metadata is stale/incorrect. The skill also will accept/issue an anonymous token if NEMO_TOKEN is absent, which means it will contact the remote API to obtain credentials on the fly — a behavior you should be aware of before uploading sensitive images.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence. It will create ephemeral sessions/tokens for operations, which is consistent with a remote-processing image skill. Autonomous invocation is allowed by default (platform normal) and not by itself a problem here.
What to consider before installing
This skill will upload any images you give it to a third-party API (mega-api-prod.nemovideo.ai) and will obtain or use a NEMO_TOKEN for authorization. The publisher/source and homepage are missing, and the SKILL.md claims Google 'Imagen' tech while calling an unknown domain — ask the publisher for provenance and a privacy/terms URL before trusting sensitive content. Also clarify whether the skill actually needs access to ~/.config/nemovideo/ (the frontmatter lists it but the registry metadata did not). If you decide to proceed: avoid uploading private or sensitive photos, review any returned URLs before clicking, and prefer skills from verified sources or with public documentation.Like a lobster shell, security has layers — review code before you run it.
latestvk976msqxc74htfnsz0r9xnsrt584ec18
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎨 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN