Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Image To Video Leaderboard

v1.0.0

convert still images into animated video clips with this skill. Works with JPG, PNG, WEBP, HEIC files up to 200MB. AI researchers, content creators, marketer...

0· 29·0 current·0 all-time
bypeandrover adam@peand-rover
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the runtime instructions: the skill sends images to a cloud backend and returns rendered MP4s. Required credential NEMO_TOKEN is appropriate for a remote API. However, the SKILL frontmatter lists a configPaths entry (~/.config/nemovideo/) even though the registry metadata earlier lists no required config paths; the skill's Source/Homepage are missing which reduces provenance. Overall capability is coherent but provenance/metadata inconsistencies are notable.
!
Instruction Scope
Instructions direct the agent to upload user images and session metadata to https://mega-api-prod.nemovideo.ai, manage bearer tokens, use SSE, poll render endpoints, and detect install path to set X-Skill-Platform. Uploading user media and reading install path/config are within the feature's needs but are sensitive actions — the SKILL.md does not include privacy/retention guarantees and it instructs the agent to access local paths for platform detection. The skill also instructs anonymous token generation if NEMO_TOKEN is absent, meaning it will obtain credentials automatically.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk. No downloads or external packages are installed by the skill itself.
Credentials
Only a single credential (NEMO_TOKEN) is requested, which is proportional to a remote render API. The skill will also generate an anonymous token if none is present. The frontmatter's configPaths entry suggests the skill may access ~/.config/nemovideo/ (sensitive) but the registry listing showed no required config paths — this mismatch should be clarified.
Persistence & Privilege
always:false and no self-install behavior were declared. The skill asks to keep a session_id for operations (ephemeral session state) but does not explicitly instruct writing persistent credentials to disk. No elevated privileges or forced inclusion are requested.
Scan Findings in Context
[no_regex_findings] expected: No code files present; the regex-based scanner had nothing to analyze. This is expected for an instruction-only skill, but absence of findings is not evidence of trustworthiness.
What to consider before installing
This skill will upload whatever images and metadata the user supplies to an external service (mega-api-prod.nemovideo.ai) and uses a bearer token (NEMO_TOKEN) for auth. That behavior is expected for an image→video cloud service, but before installing you should: 1) verify who runs mega-api-prod.nemovideo.ai (no homepage or source is provided here); 2) avoid uploading sensitive images unless you trust the backend and have a clear privacy/retention policy; 3) confirm whether the skill will persist tokens or session IDs to disk and where (frontmatter references ~/.config/nemovideo/); 4) consider providing your own NEMO_TOKEN rather than allowing the skill to auto-generate anonymous tokens; and 5) prefer skills with clear provenance (homepage, publisher) or test first with non-sensitive images. The mismatched metadata (frontmatter configPaths vs. registry 'none') and missing homepage are the primary reasons this is flagged as suspicious rather than benign.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🏆 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN
latestvk97e0057czfsp0dq47as7gr70h85409b
29downloads
0stars
1versions
Updated 14h ago
v1.0.0
MIT-0

Getting Started

Share your still images and I'll get started on AI video generation. Or just tell me what you're thinking.

Try saying:

  • "convert my still images"
  • "export 1080p MP4"
  • "convert this image into a 5-second"

Quick Start Setup

This skill connects to a cloud processing backend. On first use, set up the connection automatically and let the user know ("Connecting...").

Token check: Look for NEMO_TOKEN in the environment. If found, skip to session creation. Otherwise:

  • Generate a UUID as client identifier
  • POST https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token with X-Client-Id header
  • Extract data.token from the response — this is your NEMO_TOKEN (100 free credits, 7-day expiry)

Session: POST https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent with Bearer auth and body {"task_name":"project"}. Keep the returned session_id for all operations.

Let the user know with a brief "Ready!" when setup is complete. Don't expose tokens or raw API output.

AI Image to Video Leaderboard — Compare and Rank Image-to-Video Models

Send me your still images and describe the result you want. The AI video generation runs on remote GPU nodes — nothing to install on your machine.

A quick example: upload a single product photo or landscape image, type "convert this image into a 5-second animated video clip", and you'll get a 1080p MP4 back in roughly 30-90 seconds. All rendering happens server-side.

Worth noting: higher contrast images tend to produce smoother motion results.

Matching Input to Actions

User prompts referencing ai image to video leaderboard, aspect ratio, text overlays, or audio tracks get routed to the corresponding action via keyword and intent classification.

User says...ActionSkip SSE?
"export" / "导出" / "download" / "send me the video"→ §3.5 Export
"credits" / "积分" / "balance" / "余额"→ §3.3 Credits
"status" / "状态" / "show tracks"→ §3.4 State
"upload" / "上传" / user sends file→ §3.2 Upload
Everything else (generate, edit, add BGM…)→ §3.1 SSE

Cloud Render Pipeline Details

Each export job queues on a cloud GPU node that composites video layers, applies platform-spec compression (H.264, up to 1080x1920), and returns a download URL within 30-90 seconds. The session token carries render job IDs, so closing the tab before completion orphans the job.

All calls go to https://mega-api-prod.nemovideo.ai. The main endpoints:

  1. SessionPOST /api/tasks/me/with-session/nemo_agent with {"task_name":"project","language":"<lang>"}. Gives you a session_id.
  2. Chat (SSE)POST /run_sse with session_id and your message in new_message.parts[0].text. Set Accept: text/event-stream. Up to 15 min.
  3. UploadPOST /api/upload-video/nemo_agent/me/<sid> — multipart file or JSON with URLs.
  4. CreditsGET /api/credits/balance/simple — returns available, frozen, total.
  5. StateGET /api/state/nemo_agent/me/<sid>/latest — current draft and media info.
  6. ExportPOST /api/render/proxy/lambda with render ID and draft JSON. Poll GET /api/render/proxy/lambda/<id> every 30s for completed status and download URL.

Formats: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.

Skill attribution — read from this file's YAML frontmatter at runtime:

  • X-Skill-Source: ai-image-to-video-leaderboard
  • X-Skill-Version: from frontmatter version
  • X-Skill-Platform: detect from install path (~/.clawhub/clawhub, ~/.cursor/skills/cursor, else unknown)

All requests must include: Authorization: Bearer <NEMO_TOKEN>, X-Skill-Source, X-Skill-Version, X-Skill-Platform. Missing attribution headers will cause export to fail with 402.

Draft field mapping: t=tracks, tt=track type (0=video, 1=audio, 7=text), sg=segments, d=duration(ms), m=metadata.

Timeline (3 tracks): 1. Video: city timelapse (0-10s) 2. BGM: Lo-fi (0-10s, 35%) 3. Title: "Urban Dreams" (0-3s)

Backend Response Translation

The backend assumes a GUI exists. Translate these into API actions:

Backend saysYou do
"click [button]" / "点击"Execute via API
"open [panel]" / "打开"Query session state
"drag/drop" / "拖拽"Send edit via SSE
"preview in timeline"Show track summary
"Export button" / "导出"Execute export workflow

Reading the SSE Stream

Text events go straight to the user (after GUI translation). Tool calls stay internal. Heartbeats and empty data: lines mean the backend is still working — show "⏳ Still working..." every 2 minutes.

About 30% of edit operations close the stream without any text. When that happens, poll /api/state to confirm the timeline changed, then tell the user what was updated.

Error Handling

CodeMeaningAction
0SuccessContinue
1001Bad/expired tokenRe-auth via anonymous-token (tokens expire after 7 days)
1002Session not foundNew session §3.0
2001No creditsAnonymous: show registration URL with ?bind=<id> (get <id> from create-session or state response when needed). Registered: "Top up credits in your account"
4001Unsupported fileShow supported formats
4002File too largeSuggest compress/trim
400Missing X-Client-IdGenerate Client-Id and retry (see §1)
402Free plan export blockedSubscription tier issue, NOT credits. "Register or upgrade your plan to unlock export."
429Rate limit (1 token/client/7 days)Retry in 30s once

Common Workflows

Quick edit: Upload → "convert this image into a 5-second animated video clip" → Download MP4. Takes 30-90 seconds for a 30-second clip.

Batch style: Upload multiple files in one session. Process them one by one with different instructions. Each gets its own render.

Iterative: Start with a rough cut, preview the result, then refine. The session keeps your timeline state so you can keep tweaking.

Tips and Tricks

The backend processes faster when you're specific. Instead of "make it look better", try "convert this image into a 5-second animated video clip" — concrete instructions get better results.

Max file size is 200MB. Stick to JPG, PNG, WEBP, HEIC for the smoothest experience.

Export as MP4 for widest compatibility.

Comments

Loading comments...