ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Animation Maker Free

v1.0.0

create images or text into animated MP4 videos with this animation-maker-free skill. Works with JPG, PNG, GIF, MP4 files up to 200MB. small business owners,...

0· 63·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to create animated MP4s and the instructions are consistent with calling a remote render service. However the registry metadata lists NEMO_TOKEN as a required env var while the SKILL.md explicitly implements automatic anonymous-token creation if NEMO_TOKEN is absent — a metadata/behavior mismatch. The SKILL.md frontmatter also references a config path (~/.config/nemovideo/) even though the skill registry summary said no config paths, another inconsistency.
!
Instruction Scope
Instructions direct the agent to POST credentials and files to https://mega-api-prod.nemovideo.ai, create sessions, stream SSE, and upload user files (multipart or by URL). That is expected for a cloud render service, but it also means user media and generated tokens will be sent to an external host. The doc tells the agent to generate and store/use tokens automatically and to include attribution headers; it also assumes the agent can access file paths for multipart uploads. Because the service owner and homepage are unknown, and because the skill can create tokens on behalf of the agent, this expands the attack surface (data exfiltration or unexpected retention).
Install Mechanism
This is instruction-only with no install spec and no code files, so nothing is written to disk by an installer step. That is the lowest install risk.
Credentials
Only one credential is requested (NEMO_TOKEN), which is appropriate for a single backend API. But the registry declares this env var as required while SKILL.md will obtain an anonymous token if it's missing — an inconsistency. The frontmatter claims a config path which suggests possible local persistence of tokens or state; the registry earlier did not list config paths.
Persistence & Privilege
always:false and no instructions to modify other skills or system-wide settings. The skill can be invoked autonomously (normal default) but it is not force-enabled for all agents.
What to consider before installing
This skill calls an external API (mega-api-prod.nemovideo.ai) and will upload the images/audio you provide and create/use a bearer token (NEMO_TOKEN). Before installing or using it: 1) Confirm you trust the external service and its privacy/retention policy (owner/homepage are not provided). 2) Avoid supplying sensitive images or credentials; use throwaway/test data first. 3) If you don't want the agent to auto-provision tokens, set your own NEMO_TOKEN or ask the publisher how tokens are stored and rotated (SKILL.md suggests possible local config usage). 4) If acceptable, proceed; otherwise request a vendor homepage, privacy policy, and clarification about where media and auto-generated tokens are persisted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c7taswc4zjrqa28d5213wvs84k4gy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments