ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Image To Video Io

v1.0.0

Get animated video clips ready to post, without touching a single slider. Upload your still images (JPG, PNG, WEBP, GIF, up to 200MB), say something like "tu...

0· 39·0 current·0 all-time
by@vynbosserman65
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to need a NEMO_TOKEN (registry metadata lists NEMO_TOKEN as required/primaryEnv), which is consistent with a cloud service integration. However the SKILL.md also instructs the agent to automatically obtain an anonymous NEMO_TOKEN if none is present by calling the service's anonymous-token endpoint. This mismatch (declared 'required' vs. auto-provisioning in instructions) should be clarified.
Instruction Scope
Instructions require network calls to mega-api-prod.nemovideo.ai (expected for a cloud render service) and describe uploading user images and polling SSE/state endpoints (expected). They also instruct detection of the agent's install path (~/.clawhub/ and ~/.cursor/skills/) and reference a config path (~/.config/nemovideo/) in the frontmatter — this implies filesystem probing of the agent environment that is not strictly necessary for core image->video functionality and should be justified.
Install Mechanism
Instruction-only skill with no install spec or code files. Low installation risk because nothing is downloaded or executed at install time.
Credentials
Only one credential (NEMO_TOKEN) is involved which is proportionate for a cloud API. Caveats: the metadata/instructions differ about whether NEMO_TOKEN is required vs optional (auto-obtained). Also the skill suggests using or creating tokens with 7-day expiry/credits — users should avoid providing long-lived account tokens unless they understand scope and privileges.
Persistence & Privilege
The skill is not set to always:true and contains no install-time persistence. It can run autonomously (normal default) but does not request elevated or permanent platform privileges.
What to consider before installing
This skill appears to implement an image→video cloud service and will upload images and make multiple API calls to mega-api-prod.nemovideo.ai. Before installing: 1) Confirm the service domain (nemovideo.ai) is trustworthy for your images and check their privacy/TOS. 2) Do not supply a long-lived account token until you verify required scopes — prefer the anonymous token flow if you want limited, short-lived access. 3) Ask the author to reconcile metadata vs SKILL.md (registry claims NEMO_TOKEN/configPaths vs SKILL.md auto-creates tokens and lists ~/.config/nemovideo/). 4) If you are concerned about the agent probing ~/.clawhub/ or ~/.cursor/skills/ or other local paths, request a version that omits install-path detection. 5) Consider testing with non-sensitive images and monitoring network requests (or using a sandboxed environment) before using real content.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a60ehfb0peh2bzdqa9rj35x84s2t6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments