Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Cartoon Video Maker Free

v1.0.0

Get animated cartoon videos ready to post, without touching a single slider. Upload your images or text (JPG, PNG, MP4, GIF, up to 200MB), say something like...

0· 38·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to create cloud-rendered cartoon videos and only requires a NEMO_TOKEN — that matches the described purpose. However the SKILL.md metadata includes a config path (~/.config/nemovideo/) while the registry metadata earlier listed no required config paths, an inconsistency in what the skill says it will read/write. The external API host (mega-api-prod.nemovideo.ai) is plausible for this purpose, but the package has no homepage or source listed which reduces verifiability.
!
Instruction Scope
Runtime instructions tell the agent to automatically obtain anonymous credentials (POST to /api/auth/anonymous-token) when NEMO_TOKEN is missing, create and persist sessions, upload user files (multipart or URL) to the remote API, and poll render endpoints. The SKILL.md explicitly instructs not to display raw API responses or token values to the user, which could be legitimate (avoid leaking secrets) but also hides evidence of token creation/storage from the user. The file-upload and token-creation behavior means user media and derived tokens will be transmitted and stored remotely — this is expected for a cloud render service but is privacy-sensitive and should be explicit to the user.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That reduces installation risk; the runtime risk is entirely network/API activity described in SKILL.md.
Credentials
Only one environment variable (NEMO_TOKEN) is declared and used, which is proportionate to a remote API client. However, the SKILL.md suggests auto-generating and storing an anonymous token if none is present and references a config directory in its metadata — this implies writing credentials to disk (persistence) even though registry requirements showed no config paths. The instruction to hide token values from the user reduces transparency about credential creation and storage.
Persistence & Privilege
The skill is not always-included and does not request elevated platform privileges. It does instruct creating a session_id and presumably storing it for subsequent requests, and the metadata hints at a config path (~/.config/nemovideo/) for storage. Storing its own token/session is normal for a client but the metadata/manifest mismatch and lack of a visible source/homepage mean you can't easily verify what and where it will persist.
What to consider before installing
This skill appears to legitimately connect to a remote video-rendering service and needs a single API token (NEMO_TOKEN). Before installing, consider: - Privacy: the skill uploads whatever media you give it to mega-api-prod.nemovideo.ai for rendering. Do not send sensitive images/audio unless you trust that service. - Token handling: if you don't provide NEMO_TOKEN, the skill will automatically obtain an anonymous token and store session state; the SKILL.md even instructs the agent not to show raw token values. If you want transparency, supply your own token or decline automatic token creation. - Persistence: metadata suggests it may write to ~/.config/nemovideo/ (store tokens/sessions) despite the registry listing no config paths — confirm where credentials are stored and how to delete them. - Verifiability: there is no homepage or source code link. If you need higher assurance, ask the publisher for a homepage, privacy policy, or source, or prefer a skill with published code. If you proceed, only upload non-sensitive content and consider providing a token you control rather than letting the skill create one anonymously. If anything about automatic token creation or hidden token values feels unacceptable, do not install.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎨 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN
latestvk978w0efvx86jwvtscb4kavn0h85bfkn
38downloads
0stars
1versions
Updated 21h ago
v1.0.0
MIT-0

Getting Started

Send me your images or text and I'll handle the AI cartoon video creation. Or just describe what you're after.

Try saying:

  • "convert a short story prompt or five character illustrations into a 1080p MP4"
  • "turn my script into an animated cartoon video with characters and background music"
  • "creating animated cartoon videos from text or images for free for students, content creators, social media users"

First-Time Connection

When a user first opens this skill, connect to the processing backend automatically. Briefly let them know (e.g. "Setting up...").

Authentication: Check if NEMO_TOKEN is set in the environment. If it is, skip to step 2.

  1. Obtain a free token: Generate a random UUID as client identifier. POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token with header X-Client-Id set to that UUID. The response data.token is your NEMO_TOKEN — 100 free credits, valid 7 days.
  2. Create a session: POST to https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent with Authorization: Bearer <token>, Content-Type: application/json, and body {"task_name":"project","language":"<detected>"}. Store the returned session_id for all subsequent requests.

Keep setup communication brief. Don't display raw API responses or token values to the user.

AI Cartoon Video Maker Free — Create Cartoon Videos from Text

Send me your images or text and describe the result you want. The AI cartoon video creation runs on remote GPU nodes — nothing to install on your machine.

A quick example: upload a short story prompt or five character illustrations, type "turn my script into an animated cartoon video with characters and background music", and you'll get a 1080p MP4 back in roughly 1-2 minutes. All rendering happens server-side.

Worth noting: shorter scripts under 60 seconds render significantly faster and look cleaner.

Matching Input to Actions

User prompts referencing ai cartoon video maker free, aspect ratio, text overlays, or audio tracks get routed to the corresponding action via keyword and intent classification.

User says...ActionSkip SSE?
"export" / "导出" / "download" / "send me the video"→ §3.5 Export
"credits" / "积分" / "balance" / "余额"→ §3.3 Credits
"status" / "状态" / "show tracks"→ §3.4 State
"upload" / "上传" / user sends file→ §3.2 Upload
Everything else (generate, edit, add BGM…)→ §3.1 SSE

Cloud Render Pipeline Details

Each export job queues on a cloud GPU node that composites video layers, applies platform-spec compression (H.264, up to 1080x1920), and returns a download URL within 30-90 seconds. The session token carries render job IDs, so closing the tab before completion orphans the job.

All requests must include: Authorization: Bearer <NEMO_TOKEN>, X-Skill-Source, X-Skill-Version, X-Skill-Platform. Missing attribution headers will cause export to fail with 402.

Headers are derived from this file's YAML frontmatter. X-Skill-Source is ai-cartoon-video-maker-free, X-Skill-Version comes from the version field, and X-Skill-Platform is detected from the install path (~/.clawhub/ = clawhub, ~/.cursor/skills/ = cursor, otherwise unknown).

API base: https://mega-api-prod.nemovideo.ai

Create session: POST /api/tasks/me/with-session/nemo_agent — body {"task_name":"project","language":"<lang>"} — returns task_id, session_id.

Send message (SSE): POST /run_sse — body {"app_name":"nemo_agent","user_id":"me","session_id":"<sid>","new_message":{"parts":[{"text":"<msg>"}]}} with Accept: text/event-stream. Max timeout: 15 minutes.

Upload: POST /api/upload-video/nemo_agent/me/<sid> — file: multipart -F "files=@/path", or URL: {"urls":["<url>"],"source_type":"url"}

Credits: GET /api/credits/balance/simple — returns available, frozen, total

Session state: GET /api/state/nemo_agent/me/<sid>/latest — key fields: data.state.draft, data.state.video_infos, data.state.generated_media

Export (free, no credits): POST /api/render/proxy/lambda — body {"id":"render_<ts>","sessionId":"<sid>","draft":<json>,"output":{"format":"mp4","quality":"high"}}. Poll GET /api/render/proxy/lambda/<id> every 30s until status = completed. Download URL at output.url.

Supported formats: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.

Error Codes

  • 0 — success, continue normally
  • 1001 — token expired or invalid; re-acquire via /api/auth/anonymous-token
  • 1002 — session not found; create a new one
  • 2001 — out of credits; anonymous users get a registration link with ?bind=<id>, registered users top up
  • 4001 — unsupported file type; show accepted formats
  • 4002 — file too large; suggest compressing or trimming
  • 400 — missing X-Client-Id; generate one and retry
  • 402 — free plan export blocked; not a credit issue, subscription tier
  • 429 — rate limited; wait 30s and retry once

Backend Response Translation

The backend assumes a GUI exists. Translate these into API actions:

Backend saysYou do
"click [button]" / "点击"Execute via API
"open [panel]" / "打开"Query session state
"drag/drop" / "拖拽"Send edit via SSE
"preview in timeline"Show track summary
"Export button" / "导出"Execute export workflow

Reading the SSE Stream

Text events go straight to the user (after GUI translation). Tool calls stay internal. Heartbeats and empty data: lines mean the backend is still working — show "⏳ Still working..." every 2 minutes.

About 30% of edit operations close the stream without any text. When that happens, poll /api/state to confirm the timeline changed, then tell the user what was updated.

Draft field mapping: t=tracks, tt=track type (0=video, 1=audio, 7=text), sg=segments, d=duration(ms), m=metadata.

Timeline (3 tracks): 1. Video: city timelapse (0-10s) 2. BGM: Lo-fi (0-10s, 35%) 3. Title: "Urban Dreams" (0-3s)

Tips and Tricks

The backend processes faster when you're specific. Instead of "make it look better", try "turn my script into an animated cartoon video with characters and background music" — concrete instructions get better results.

Max file size is 200MB. Stick to JPG, PNG, MP4, GIF for the smoothest experience.

Export as MP4 for widest compatibility across YouTube, TikTok, and Instagram.

Common Workflows

Quick edit: Upload → "turn my script into an animated cartoon video with characters and background music" → Download MP4. Takes 1-2 minutes for a 30-second clip.

Batch style: Upload multiple files in one session. Process them one by one with different instructions. Each gets its own render.

Iterative: Start with a rough cut, preview the result, then refine. The session keeps your timeline state so you can keep tweaking.

Comments

Loading comments...