ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Image To Video Deepfake

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — animate this photo to match the lip movements in the attached audio clip —...

0· 47·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (image→video deepfake) match the instructions (upload images/audio, call a remote rendering API). However the SKILL.md frontmatter declares a required config path (~/.config/nemovideo/) while the registry metadata lists no config paths — this mismatch is an inconsistency. Requiring access to a local config directory could be reasonable (to reuse cached tokens), but it should be declared consistently.
Instruction Scope
The instructions focus on connecting to a remote API, creating/using a NEMO_TOKEN, opening sessions, uploading media, streaming SSE, polling exports, and returning download URLs. They do not instruct the agent to read unrelated files, other environment variables, or system credentials. They do instruct generating an anonymous token and storing session_id. They also require including specific attribution headers on every request.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an install step in the bundle itself.
!
Credentials
Only NEMO_TOKEN is declared as a required credential which is proportional for a remote rendering API. However the SKILL.md frontmatter also references a local config path (~/.config/nemovideo/) that could contain tokens or persistent state but which is not listed in the registry metadata; that inconsistency should be resolved. Also the skill instructs optionally creating an anonymous token via the remote endpoint — verify that returned tokens are short-lived and not confused with other credentials. No other unrelated secrets are requested.
Persistence & Privilege
always:false and the skill does not request system-wide privileges or to modify other skills. The skill will create and use ephemeral session IDs/tokens for render jobs; autonomic invocation is permitted by default (normal), which increases blast radius for a deepfake capability but is not itself an incoherence.
What to consider before installing
What to consider before installing: - This skill uploads images and audio to a remote service (mega-api-prod.nemovideo.ai) to create deepfakes — only install if you trust that service and have permission to process the media. - Confirm the domain is legitimate and that returned tokens (from anonymous-token) are indeed short-lived. Ask the author for the service homepage/source code if you need verification. - Resolve the inconsistency: SKILL.md frontmatter references ~/.config/nemovideo/ but the registry metadata lists no config paths. Ask whether the skill will read or write that directory and what it stores there (tokens, usage logs, etc.). - Avoid setting NEMO_TOKEN to any high-privilege or long-lived credential (do not reuse cloud or personal API keys). Prefer ephemeral anonymous tokens if you have privacy concerns. - Consider limiting autonomous invocation for this skill (run manually) because deepfake capabilities can be abused; check your platform controls for per-skill autonomy. - If you must use it, review the service’s privacy and retention policy and only upload media for which you hold consent/rights.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e6s77834c3v9v0zen1tbxd584s9nv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎭 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments