ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Jiggle Video Generator Free

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — apply a jiggle bounce effect to this image to make it look animated — and...

0· 38·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the runtime instructions: the skill sends user images/videos to a cloud API to produce jiggle animations. Requesting a NEMO_TOKEN credential is consistent with that purpose. However, the frontmatter/metadata in SKILL.md also lists a config path (~/.config/nemovideo/) while the registry summary reports no required config paths — this mismatch is unexplained and reduces confidence in metadata accuracy.
Instruction Scope
The SKILL.md gives concrete API workflows (session creation, SSE chat, upload, export) and only references data needed for the stated task (user media, session token, render drafts). It instructs the agent to upload user files to https://mega-api-prod.nemovideo.ai and to include specific attribution headers. There are no instructions to read unrelated system files or other credentials.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which limits disk-write/execute risk.
!
Credentials
The registry metadata declares NEMO_TOKEN as a required/primary env var — reasonable for an API client — but the runtime instructions say the agent should generate an anonymous token via an API call if NEMO_TOKEN is not present. That behavior conflicts with the 'required' designation and should be clarified. Also the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry listing shows none; this mismatch suggests the skill may expect access to a local config directory not documented elsewhere.
Persistence & Privilege
always:false and no install means the skill does not request persistent/system-wide presence. The skill is allowed to be invoked autonomously by agents (platform default), which is expected for a normal skill and not flagged alone.
What to consider before installing
This skill appears to call a third‑party API to render and return videos — that requires uploading your images/videos and using an API token. Before installing: (1) Confirm the service identity and privacy policy for mega-api-prod.nemovideo.ai (source/homepage is unknown here). (2) Decide whether you trust uploading the types of images you will send (sensitive media could be exposed). (3) Clarify the NEMO_TOKEN requirement vs the documented anonymous-token flow: if you set NEMO_TOKEN, ensure it’s from a trusted account; if you rely on anonymous tokens, understand they grant short-lived credits via a server-side endpoint. (4) Ask the publisher to resolve metadata mismatches (declared configPaths vs registry, and required env var vs optional anonymous acquisition). (5) Prefer using ephemeral or least‑privilege tokens and avoid storing long‑lived secrets unless you trust the service.

Like a lobster shell, security has layers — review code before you run it.

latestvk9739zmzbynstp9e0z3jddrrz184rfpr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments