Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Online Photo Video Maker
v1.0.0Cloud-based online-photo-video-maker tool that handles turning photo collections into shareable videos. Upload JPG, PNG, WEBP, HEIC files (up to 200MB), desc...
⭐ 0· 55·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with cloud-based photo→video rendering. Requesting a NEMO_TOKEN as the primary credential is coherent for a 3rd-party API integration. However, the SKILL.md frontmatter references a config path (~/.config/nemovideo/) while the registry metadata earlier listed no required config paths — an inconsistency. Also the instructions include an automatic anonymous-token flow, which makes the declared requirement for NEMO_TOKEN somewhat redundant or confusing.
Instruction Scope
Instructions are an instruction-only integration that: (a) will auto-generate a client UUID and POST to an external API to obtain an anonymous token if NEMO_TOKEN is not present, (b) create and persist a session_id and use that token on every request, and (c) ask the agent to detect its install path to set an attribution header. These actions stay within the photo→video use-case but involve creating/persisting credentials and detecting local install paths and explicitly instruct the agent not to reveal raw API responses or token values to the user — this increases the risk surface and reduces transparency.
Install Mechanism
No install spec or code files — instruction-only skill. This is low risk from an installation/execution perspective (nothing is downloaded or written by an installer step).
Credentials
Only one credential (NEMO_TOKEN) is declared as required and marked primary, which fits the described API usage. But SKILL.md contains instructions to automatically obtain and store an anonymous NEMO_TOKEN if none is set, and frontmatter references a config path for storage. The combination (declared env var + auto-obtain + suggested config path) is inconsistent and warrants user confirmation about where tokens/sessions will be stored and who controls them.
Persistence & Privilege
The skill does not request always:true and has no install script, but it instructs the agent to persist session_id and NEMO_TOKEN for subsequent requests (tokens last 7 days). Autonomous invocation is allowed (default). Persisting tokens/sessions across runs is reasonable for this service but users should be aware the skill will hold a credential and session state on their behalf.
What to consider before installing
This skill appears to do what it says (cloud photo→video conversion) but there are a few things to check before installing: 1) Confirm you trust the domain (mega-api-prod.nemovideo.ai) and are comfortable the skill will create and hold an anonymous token on your behalf — the SKILL.md will POST to that endpoint and store the returned NEMO_TOKEN/session_id. 2) Ask where the token/session will be saved (frontmatter references ~/.config/nemovideo/) and whether it will be encrypted or accessible to other local processes. 3) If you prefer transparency, provide your own NEMO_TOKEN instead of letting the skill auto-create one; confirm the registry metadata vs. SKILL.md inconsistency about config paths is resolved. 4) Be aware the skill instructs the agent to hide raw API responses and token values from the user — if you need auditability, request the skill author to log non-secret request/response metadata. 5) If you are concerned about network traffic, monitor outbound calls to the nemovideo.ai domain during initial use. These issues look like design/sloppiness rather than outright malice, but they merit attention before trusting the skill with persistent credentials or sensitive images.Like a lobster shell, security has layers — review code before you run it.
latestvk97c4da560r80depdqvdxerhg984me3w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN