Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Photo Video Maker Best
v1.0.0Cloud-based photo-video-maker-best tool that handles turning photo collections into shareable videos. Upload JPG, PNG, HEIC, WebP files (up to 200MB), descri...
⭐ 0· 59·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (cloud photo→video) matches the runtime instructions (upload files, render on remote GPUs). However the declared registry metadata and the SKILL.md disagree: the registry reports no config paths but the frontmatter lists a config path (~/.config/nemovideo/). The skill also declares NEMO_TOKEN as a required env var but the instructions include a built-in anonymous-token fallback — that mismatch between declared requirements and actual runtime behavior is incoherent and should be clarified.
Instruction Scope
Runtime instructions are mostly within scope: create/refresh a session, upload files to the service, stream SSE updates, poll render status, and return download URLs. The skill will read its own YAML frontmatter for attribution and attempts to detect install path strings (e.g., ~/.clawhub/ or ~/.cursor/) which requires local path inspection — this is minor but outside the core photo→video task. All user media are sent to an external domain (mega-api-prod.nemovideo.ai) — expected for a cloud service but important to surface.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by an installer. This is the lowest-risk install model.
Credentials
Only one env var is declared: NEMO_TOKEN (primary). Requesting a service token is proportionate to a cloud rendering service. However, because the skill will use that token for all API calls, providing a long-lived NEMO_TOKEN grants the remote service access tied to your account. Also, the registry declares NEMO_TOKEN required while the SKILL.md describes an anonymous-token fallback — the declaration and the actual behavior are inconsistent.
Persistence & Privilege
Skill is not marked always:true and does not request special persistent privileges. Autonomous invocation (disable-model-invocation=false) is the platform default and is not, by itself, a red flag here.
What to consider before installing
This skill appears to do what it says (upload photos to a remote API and return a rendered MP4), but review a few things before installing: 1) Clarify the NEMO_TOKEN requirement — the skill can obtain an anonymous token itself, so you don't necessarily need to provide a token; if you do provide a NEMO_TOKEN, it will be used for all API calls (so treat it like a sensitive credential). 2) Be aware that all uploaded images/audio are sent to https://mega-api-prod.nemovideo.ai — confirm you’re comfortable with that service’s privacy and retention policies. 3) The skill’s metadata/frontmatter mismatches (configPaths vs registry) are incoherent — ask the author to fix or explain this. 4) If you want to limit exposure, prefer using the anonymous-token path (no long-lived token) or test with throwaway credentials. If you need higher assurance, request the skill source, a privacy policy for the backend domain, or an explicit explanation of why the declared requirements differ from runtime behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk973jj9wf16wqqmnkesq54ccth84nx2b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN