ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Ai Image Generator

v1.0.4

The free-ai-image-generator skill on ClawHub lets you conjure original images from plain text descriptions — no design background required. Describe a scene,...

0· 102·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Skill is an AI image/video generator and declares NEMO_TOKEN as its primary credential and ~/.config/nemovideo/ as its config path — both are coherent with contacting an external Nemovideo API for rendering and exports.
Instruction Scope
Runtime instructions are focused on generating images/videos via the Nemovideo API. They direct reading/writing of ~/.config/nemovideo/client_id (a persisted UUID) and creation/use of an anonymous token; they also instruct including skill metadata (name, version, SKILL_SOURCE) in API requests. These behaviors are expected but mean the skill will persist a client identifier and transmit local metadata to the vendor, which is a privacy/telemetry consideration.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is downloaded or written beyond the described client_id file, so install-level risk is low.
Credentials
Only NEMO_TOKEN is declared as the primary credential. Optional env vars (NEMO_API_URL, NEMO_WEB_URL, NEMO_CLIENT_ID) are reasonable for configuring the API endpoint and client id. No unrelated secrets or broad credential requests are present.
Persistence & Privilege
always:false and default autonomous invocation are appropriate. The skill does persist a UUID to ~/.config/nemovideo/client_id to avoid token rate limits; this is limited persistence (identifier only) but can be used for tracking across sessions. The skill does not request system-wide privileges or modify other skills.
Assessment
This skill legitimately calls Nemovideo's API and will create a small file (~/.config/nemovideo/client_id) containing a UUID to avoid rate limits and to request an anonymous token (up to 100 free credits). Before installing, consider: 1) network calls go to the vendor's API and include metadata (skill name/version and a SKILL_SOURCE value that can leak the install path/platform) — review Nemovideo's privacy policy if you care about telemetry; 2) avoid uploading sensitive images/content you wouldn't want sent to an external service; 3) if you prefer not to persist an identifier, you can remove ~/.config/nemovideo/client_id (or set your own NEMO_TOKEN) but doing so may trigger rate limits; and 4) if you want more control, set your own NEMO_TOKEN and NEMO_API_URL rather than relying on the anonymous token flow.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f8qdsh39we4cybv0ej1dn2x83wa8t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
Primary envNEMO_TOKEN

Comments