ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Gif Compressor

v1.0.0

web developers, marketers, social media managers compress GIF files into compressed GIF files using this skill. Accepts GIF, MP4, WebM, APNG up to 200MB, ren...

0· 20·0 current·0 all-time
by@whitejohnk-26
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's primary requirement (NEMO_TOKEN) and the runtime instructions to call a nemovideo.ai API are consistent with a cloud-based GIF compressor. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata showed no required config paths — a small inconsistency that could indicate undeclared filesystem access expectations.
!
Instruction Scope
Instructions tell the agent to auto-acquire an anonymous token, create and persist a session_id, upload user media to nemovideo.ai, stream SSE messages, and poll for render results — all expected for a cloud rendering service. Concerns: (1) the SKILL.md suggests detecting the install path to set X-Skill-Platform (which implies reading local paths), but that filesystem access is not declared; (2) the skill will automatically call external endpoints and upload user files (privacy implication).
Install Mechanism
This is instruction-only with no install spec and no code files — nothing is written to disk by an installer. That reduces risk from arbitrary installs.
Credentials
Only NEMO_TOKEN is declared as required, which is proportional for a 3rd-party API. But the frontmatter's configPaths and the instructions' implicit install-path detection are not listed in the registry fields, creating a mismatch about what local data may be accessed. The skill also automatically obtains an anonymous token if none is supplied, which will create credentials that may be stored for up to 7 days.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or system-wide settings. It will persist a session_id/token for subsequent API calls — normal for a session-based cloud service.
What to consider before installing
This skill uploads your media to an external cloud service (mega-api-prod.nemovideo.ai) and needs a NEMO_TOKEN (it can auto-create an anonymous token for you). Before installing: (1) confirm you are comfortable uploading the GIFs/videos to that domain — do not use with sensitive or private content unless you trust the service; (2) consider providing your own NEMO_TOKEN rather than letting the skill auto-create and store one; (3) ask the publisher why the frontmatter references ~/.config/nemovideo/ and install-path detection — confirm what local paths the agent will read and where it stores tokens/session IDs; (4) because this is instruction-only (no local installer), review network behavior and privacy policy of nemovideo.ai. These mismatches and implicit filesystem checks are not proof of malice but are reasons to proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk973qz7h3ys6kspf28a6fxymb584mjqk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🗜️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments