ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Best Image To Video

v1.0.0

marketers, social media creators convert images into animated video clips using this skill. Accepts JPG, PNG, WEBP, HEIC up to 200MB, renders on cloud GPUs a...

0· 11·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the SKILL.md instructions (upload images, create render jobs, return MP4). Requesting NEMO_TOKEN as the primary credential is proportionate. However, SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — a mismatch in declared requirements.
Instruction Scope
Instructions are narrowly scoped to communicating with mega-api-prod.nemovideo.ai: obtaining an anonymous token, creating a session, uploading files, streaming SSE edits, and starting renders. They do not instruct reading arbitrary system files or unrelated env vars. One small scope concern: the skill asks callers to 'auto-detect' platform from the install path (which may require inspecting file paths), and the frontmatter includes a configPath that could imply reading ~/.config/nemovideo/ (though the runtime steps do not explicitly require reading that path).
Install Mechanism
This is an instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. That lowers install-time risk.
Credentials
Only one environment variable is required: NEMO_TOKEN (declared as primary). That is consistent with a cloud-rendering service. No unrelated credentials or broad-scoped secrets are requested.
Persistence & Privilege
The skill does not request always:true and does not declare modifications to other skills or system-wide settings. It will be able to be invoked autonomously (default), which is normal for skills.
What to consider before installing
This skill appears to do what it says (upload images to a cloud renderer and return MP4s) and only asks for one credential (NEMO_TOKEN). However: 1) The source/homepage is unknown — verify that mega-api-prod.nemovideo.ai is the legitimate backend you want to trust before providing a token. 2) The SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) though registry metadata omitted it — ask the publisher to clarify whether the skill will read local config files. 3) Uploaded images and any metadata will be sent to the external service; avoid sending sensitive images until you confirm retention/privacy and access controls. 4) Prefer using a limited-scope or anonymous token (the instructions include a way to request a short-lived anonymous token) rather than a long-lived personal credential. If you need higher assurance, request the publisher's provenance (homepage, owner identity, or official docs) or test with throwaway data/anonymous tokens first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bswzd02b8c0pyw9hst27yn984karv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments