ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dreamina Seedance

v1.0.1

Turn still images into dance videos using Dreamina SeedAnce. Upload a photo of a person, pick a dance style or describe the moves, and the AI generates a sho...

0· 87·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (turn images into dance videos) matches the runtime instructions and API endpoints. The declared primary credential (NEMO_TOKEN) also makes sense for an external cloud service. However, SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — a mismatch worth clarifying.
Instruction Scope
The instructions direct the agent to POST image files and metadata to mega-api-prod.nemovideo.ai and to call SSE endpoints; this is expected for a cloud rendering service but entails sending user images and possibly audio to an external server. The SKILL.md also describes anonymous-token generation and session management. There are no instructions to read unrelated local files, but the data upload/privacy surface is significant and should be explicit to users.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest install risk.
!
Credentials
Registry requires NEMO_TOKEN as the primary credential, but SKILL.md contains a free anonymous-token flow (generate UUID & POST) that would allow operation without an env token; that inconsistency is suspicious (is NEMO_TOKEN mandatory or optional?). The SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) that the registry did not declare. Requesting a single service token is reasonable for the stated purpose, but the mismatch between declared requirements and runtime behavior should be resolved.
Persistence & Privilege
Skill is not always-enabled and does not request persistent system-wide privileges. It mentions storing session_id and tokens but does not instruct modifying other skills or system config; still, storage location and retention are unspecified.
What to consider before installing
This skill uploads user photos and other media to an external API (mega-api-prod.nemovideo.ai) to render videos — expect your images to leave your device. Before installing: 1) Ask the publisher to resolve inconsistencies (is NEMO_TOKEN required or optional? why does SKILL.md list ~/.config/nemovideo/ when registry does not?). 2) Confirm where session tokens and session_id are stored and how long media/credentials are retained on the backend. 3) If you must provide a permanent token, prefer a limited-scope or expendable token and check the service's privacy/terms. 4) Verify the API domain and publisher identity (no homepage provided). If you cannot verify these points or do not want images uploaded to an unknown service, do not install or use the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ergwfwn6jc2ah0z330d7htn84fsm3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💃 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments