ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Online Photo Video

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — turn my photos into a slideshow video with background music and transition...

0· 55·0 current·0 all-time
by@roca-677
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the runtime instructions: the skill uploads images, creates a session, sends SSE messages, renders a video, and returns a download URL. The required credential (NEMO_TOKEN) is appropriate for a cloud API-backed media service. No unrelated binaries or unrelated credentials are requested.
Instruction Scope
Instructions are specific to the nemovideo.ai API (session creation, upload, SSE, export polling). They instruct the agent to upload user images and to hide technical details from chat output. They also tell the agent to derive an X-Skill-Platform header from install paths (e.g., ~/.clawhub/, ~/.cursor/skills/), which implies inspecting local install paths — this is minor but unnecessary for core functionality and could leak platform information in requests. There are no instructions to read unrelated system files or arbitrary environment variables beyond NEMO_TOKEN.
Install Mechanism
This is instruction-only with no install spec and no code files; nothing is written to disk by the skill itself. That keeps the installation surface small.
Credentials
The skill declares a single primary env var (NEMO_TOKEN), which matches the API usage. The SKILL.md also includes logic to obtain an anonymous token if NEMO_TOKEN is absent. However there is a minor inconsistency: registry metadata lists 'Required config paths: none' while the SKILL.md frontmatter metadata references a config path (~/.config/nemovideo/). This mismatch is not necessarily dangerous but is an incoherence to be aware of.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It uses short-lived session tokens for rendering. Autonomous invocation is allowed (platform default) but not combined with other high privileges here.
What to consider before installing
This skill will upload your images and other inputs to a third-party API (mega-api-prod.nemovideo.ai) and requires an API token (NEMO_TOKEN) or will obtain a 7-day anonymous token on your behalf. Before installing or using it: (1) Consider privacy — do not upload sensitive or private images unless you trust the service and its retention policy. (2) The skill has no public homepage or verifiable owner in the registry; try to verify the service and token source before providing a real NEMO_TOKEN. (3) Test with non-sensitive images first and watch network activity if possible. (4) If you must use it, prefer supplying your own token that you can revoke, and avoid granting broader credentials. (5) The metadata contains a small inconsistency about a config path; ask the publisher for documentation and a privacy/terms link before trusting it fully.

Like a lobster shell, security has layers — review code before you run it.

latestvk974fxwm6cbazmg2b5j2mb7knh84nmm3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments