ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Photo Video Maker Easy

v1.0.0

casual creators and social media users turn photos and images into polished slideshow video using this skill. Accepts JPG, PNG, HEIC, WebP up to 200MB, rende...

0· 59·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (turn photos into slideshow videos) lines up with the runtime instructions: uploads, session creation, SSE, render/export endpoints at mega-api-prod.nemovideo.ai. Requested credential (NEMO_TOKEN) is consistent with a third-party API token. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch should be resolved.
Instruction Scope
The SKILL.md instructs only API calls (auth, session, upload, render) and standard file uploads; it does not tell the agent to read arbitrary system secrets or unrelated files. Two items to note: (1) it says to auto-detect an install path to set X-Skill-Platform (this may require reading agent/install path metadata), and (2) it requires saving session_id and using Bearer tokens—expected for this API but you should confirm how uploaded files are transmitted/stored by the remote service. No instructions appear to exfiltrate other environment variables or system files.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. All runtime actions are network/API calls; nothing is written or downloaded by an install phase.
Credentials
Only one environment variable is requested (NEMO_TOKEN), which is proportionate for a service that needs an API token. Caveat: SKILL.md also documents generating an anonymous token flow and lists a config path in frontmatter (~/.config/nemovideo/) — if the skill actually reads/writes that path, it increases access scope and should be declared explicitly. Confirm whether the skill will attempt to read that config path or other files.
Persistence & Privilege
Skill is not marked always:true and does not request persistent platform-level privileges. It does request storing a session_id for workflow continuity (normal). Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
What to consider before installing
This skill appears to genuinely implement a cloud-based photo→video workflow and only asks for a single API token (NEMO_TOKEN). Before installing: (1) verify the source/trustworthiness of 'mega-api-prod.nemovideo.ai' and whether you’re comfortable uploading private photos to that service; (2) confirm the discrepancy about the config path (~/.config/nemovideo/) — ask the publisher whether the skill will read/write that directory; (3) avoid placing any unrelated secrets in NEMO_TOKEN and prefer using the anonymous-token flow if you want limited, short-lived access; (4) if you need stronger guarantees, request the publisher’s privacy/retention policy for uploaded media and logs. These clarifications would raise confidence to high; absent them, treat the skill as suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fbc9s7verzsk52cbzrpbcfd84nf78

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments