Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Free Image To Video
v1.0.0Bring your still images to life without spending a cent. This free-image-to-video skill transforms static photos, illustrations, and graphics into fluid, eng...
⭐ 0· 34·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description align with the actions described in SKILL.md (upload image → cloud render → download video). The single required credential (NEMO_TOKEN) is consistent with a cloud service API. However, the registry metadata marks NEMO_TOKEN as required/primary while the instructions include an anonymous-token flow to create a NEMO_TOKEN if none is present — that mismatch is unexpected and should be clarified.
Instruction Scope
Instructions stay broadly within the image→video conversion scope (session creation, SSE, upload, export). They also instruct the agent to: call external API endpoints at mega-api-prod.nemovideo.ai, upload files (multipart or URL), poll render status, and read an install path to set X-Skill-Platform header. The install-path detection implies the agent may inspect filesystem/install locations; this is not explained in the metadata and increases the surface area. The instructions explicitly say not to expose tokens, which is good but relies on correct implementation.
Install Mechanism
No install spec and no code files are present (instruction-only), so nothing is written to disk by an installer. That minimizes install-time risk. Note: because there is no code, static scanners had nothing to analyze.
Credentials
Only one credential is declared (NEMO_TOKEN), which is proportionate for a cloud-rendering API. However, SKILL.md attempts to acquire an anonymous NEMO_TOKEN via an API call when the env var is absent — this contradicts the 'required env var' declaration and gives the skill network-level capability to obtain credentials on behalf of the user. The domain used (mega-api-prod.nemovideo.ai) is not documented with a homepage or owner information in the registry, which reduces transparency about how tokens/credits are managed and stored.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide changes. It does require storing a session_id for operations (normal for this service). Autonomous invocation (disable-model-invocation: false) is the platform default and not by itself a concern, but combined with the token-autoprovision behavior it increases blast radius if the skill misbehaves.
What to consider before installing
Before installing: (1) Verify the service owner and privacy/terms for mega-api-prod.nemovideo.ai — the skill has no homepage or source URL in its registry entry. (2) Understand that the skill will call external APIs and can upload images you provide; avoid submitting sensitive or personally identifying images unless you trust the service. (3) The registry declares NEMO_TOKEN as required, but the skill can auto-request an anonymous token for you — decide whether you prefer to supply your own token (if available) instead of letting the skill obtain one. (4) Because this is an instruction-only skill, there is no code to audit and the static scanner had nothing to analyze; proceed only if you trust the external endpoint and are comfortable with network uploads. (5) If you need stronger guarantees, ask the publisher for a homepage, privacy policy, and implementation details or prefer a skill with a verifiable source.Like a lobster shell, security has layers — review code before you run it.
latestvk97bnzzsesyt272ev6dt3m71a1840fqv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN