ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Best Image To Video Ai

v1.0.0

marketers, social media creators, photographers convert still images into animated video clips using this skill. Accepts JPG, PNG, WEBP, HEIC up to 200MB, re...

0· 53·0 current·0 all-time
by@linmillsd7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (convert still images to animated MP4s) aligns with the declared requirement of a single service token (NEMO_TOKEN) and the SKILL.md's API calls to nemovideo.ai. However, the frontmatter metadata includes a configPaths entry (~/.config/nemovideo/) while the registry metadata lists no required config paths — a mismatch that should be clarified.
Instruction Scope
The SKILL.md only instructs network interactions (auth, session creation, SSE, upload, export) and file uploads which are expected for a cloud render service. It does not instruct reading unrelated system files or unrelated credentials. Minor scope note: it asks to auto-detect an install/platform path for an X-Skill-Platform header which could require inspecting the runtime environment.
Install Mechanism
No install spec and no code files — lowest install risk. The skill is instruction-only and performs HTTP requests at runtime; nothing is downloaded or written by an installer.
Credentials
Only one credential (NEMO_TOKEN) is declared as required, which is proportionate for an API-backed render service. The frontmatter's configPaths hint that the skill might also read a local config (~/.config/nemovideo/), but the rest of the document does not explain why — ask the publisher whether local config access is needed.
Persistence & Privilege
always is false and the skill does not request persistent/privileged platform-wide changes. It uses tokens/sessions scoped to the service; autonomous invocation is default but not combined with other high-risk flags.
Scan Findings in Context
[no_regex_findings] expected: The static scanner found no code to analyze — this is expected because the skill is instruction-only (SKILL.md). The absence of findings is not evidence of safety; the runtime behavior is driven by the instructions.
What to consider before installing
This skill appears to perform what it claims (upload images, call nemovideo.ai, return MP4s) and only asks for a single token. Before installing, consider: 1) Privacy — uploaded images are sent to an external API (mega-api-prod.nemovideo.ai). Don’t upload sensitive/private photos unless you trust the service and have reviewed its privacy policy. 2) Token safety — only provide a NEMO_TOKEN if you trust the provider; prefer using the anonymous-token flow for testing. 3) Metadata mismatch — confirm whether the skill will read a local config (~/.config/nemovideo/), since registry metadata omitted that. 4) Test with non-sensitive images first and verify the service domain and expected headers. If you need higher assurance, ask the publisher for a privacy policy, a canonical homepage, or source code for review.

Like a lobster shell, security has layers — review code before you run it.

latestvk9709p86hz7axx9efxkwt74ws984khxw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments