ClawHub

Photo To Video

v1.0.0

turn images into animated video slideshow with this photo-to-video skill. Works with JPG, PNG, WEBP, HEIC files up to 200MB. social media creators use it for...

0· 25·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description describe a cloud render service and the SKILL.md directs calls to a NemoVideo API and requires a NEMO_TOKEN — this is coherent for a remote photo→video skill. The only oddity: the frontmatter lists a config path (~/.config/nemovideo/) that the visible instructions don't clearly require, creating a minor mismatch between claimed config access and described behavior.
Instruction Scope
Runtime instructions confine actions to: obtaining/using a NEMO_TOKEN (or generating an anonymous one), uploading user-supplied images, opening a session, SSE chat, export polling, and returning download URLs. The skill does not instruct reading arbitrary user files or unrelated environment variables. It does instruct saving session_id and tokens (without specifying exact storage location), which implies writing state locally or to a config location.
Install Mechanism
No install spec or code files are provided (instruction-only), so nothing is downloaded or written by an installer. This minimizes attack surface from install-time downloads.
Credentials
Only a single credential (NEMO_TOKEN) is required and is appropriate for an API-backed rendering service. However, the frontmatter includes a config path (~/.config/nemovideo/) even though the registry metadata lists no required config paths and the body doesn't explicitly require reading that path — an inconsistency worth clarifying.
Persistence & Privilege
The skill does not request permanent elevated presence (always:false) and does not modify other skills. It does expect to create/save session tokens (session_id and anonymous token) which is reasonable for session continuity, but you should confirm where those are stored (local config directory vs ephemeral memory).
Assessment
This skill appears to be what it says: it uploads photos to an external NemoVideo service and returns rendered videos, and it needs a NEMO_TOKEN to authenticate. Before installing: (1) Confirm you are comfortable uploading the images to the external domain (https://mega-api-prod.nemovideo.ai) — do not send sensitive images. (2) Protect the NEMO_TOKEN like any API secret; prefer using an anonymous token for testing. (3) Ask or inspect where the skill will persist session data (it references saving session_id and a config path (~/.config/nemovideo/) in its frontmatter). (4) Test with non-sensitive photos first and monitor for unexpected network activity or files created under your home config. (5) Note there is no homepage or published source to verify the service—if provenance matters, request a maintainer/source before trusting production use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dzkyd04jey44p17h7xmv5w584je6t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments