ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Image To Video Converter

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — turn these photos into a 30-second slideshow video with smooth transitions...

0· 50·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and runtime instructions consistently describe a cloud-backed image→video service that uploads images, creates a session, and exports MP4s via endpoints on mega-api-prod.nemovideo.ai. Requesting a single API token (NEMO_TOKEN) is proportionate to that purpose. However, the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) not reflected in the registry's top-level metadata, which is an inconsistency.
!
Instruction Scope
Most runtime steps stay within the declared purpose (create session, upload images, poll export). But the instructions also require adding attribution headers and detecting the install platform by checking local install paths (~/.clawhub/, ~/.cursor/skills/) — that implies reading the filesystem at specific paths even though no config paths were declared in the registry. The instructions also tell the agent to hide technical details from users (cosmetic, but reduces transparency).
Install Mechanism
Instruction-only skill with no install spec or code files; nothing will be written to disk by an installer. This is the lowest-risk install mechanism.
Credentials
The skill declares a single primary credential (NEMO_TOKEN), which is appropriate for a cloud API. The SKILL.md also documents an anonymous-token fallback (POST to the service to get a short-lived token) which aligns with the service flow. The inconsistency between registry vs. SKILL.md about configPaths (SKILL.md lists ~/.config/nemovideo/) is unexplained and should be clarified: reading that path would broaden the data the skill can access.
Persistence & Privilege
always is false and model invocation is allowed (platform defaults). The skill does not request permanent presence or modify other skills. Its runtime actions are limited to network calls to the service and (per SKILL.md) reading install/config paths for attribution.
What to consider before installing
This skill generally behaves like an image→video cloud client (it needs NEMO_TOKEN and will call mega-api-prod.nemovideo.ai). Before installing, ask the publisher to explain the mismatches: 1) the registry metadata lists no config paths but SKILL.md frontmatter references ~/.config/nemovideo/ (why the difference?); 2) SKILL.md instructs detecting the install platform by reading local paths (~/.clawhub/, ~/.cursor/skills/) — confirm exactly what filesystem reads the skill will perform and why they are needed. If you will supply a NEMO_TOKEN, make sure it is scoped only for this service and consider using an ephemeral or limited token; review retention policy for uploaded images and generated videos. If the publisher cannot justify the config/path checks, treat the skill as higher risk and avoid installing until clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk972yymm0xdpxe25z2xrdwfc7s84qr9h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments