ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Photo Video Maker Fast

v1.0.0

turn photos and images into polished slideshow video with this photo-video-maker-fast skill. Works with JPG, PNG, HEIC, WEBP files up to 200MB. social media...

0· 51·0 current·0 all-time
by@susan4731-wilfordf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, API endpoints, upload and export flows all align with a cloud-based photo→video service and the single declared credential (NEMO_TOKEN) is appropriate. However, the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata lists no required config paths — an internal inconsistency that should be clarified.
Instruction Scope
Runtime instructions stay within a cloud-rendering workflow (create session, SSE for edits, upload files, request export). Concerning bits: the skill instructs the agent to auto-generate anonymous tokens by POSTing to an external endpoint and to 'store' session_id/token, and explicitly tells the agent not to display raw API responses or token values to the user. The upload example uses multipart file paths (files=@/path) which implies the agent may be expected to access local filesystem paths — acceptable for uploading user-selected photos but risky if the agent can pick arbitrary paths.
Install Mechanism
Instruction-only skill with no install spec or code files; lowest install risk. There is no external download/extract or package installation.
Credentials
Only a single credential (NEMO_TOKEN) is required and is the declared primaryEnv, which fits the described cloud API usage. The skill also describes generating anonymous tokens itself if NEMO_TOKEN is absent — reasonable for convenience but means the skill will autonomously obtain credentials and use them. Consider whether that automatic provisioning is acceptable for your security/privacy posture.
Persistence & Privilege
always is false and the skill does not request to run always or to modify other skills. It asks to store session tokens for the workflow (normal).
What to consider before installing
This skill appears to implement a cloud photo→video flow and only requests one credential (NEMO_TOKEN), which is consistent — but take these precautions before installing: 1) Clarify the metadata inconsistency about ~/.config/nemovideo/ (why is it listed in the frontmatter but not as a required config path?). 2) Confirm the backend domain (mega-api-prod.nemovideo.ai) is a legitimate service you trust; anonymous tokens it creates can be used to run jobs and may be linked to usage limits or billing. 3) Ask how and where tokens/session_ids are stored and for how long; the SKILL.md explicitly tells the agent to hide token values from the user which is unusual and could hide unexpected behavior. 4) Ensure uploads only include files you explicitly select; avoid granting an agent blanket filesystem access. 5) If you need stronger assurance, request the service's privacy/billing docs or a signed source/homepage before trusting permanent environment NEMO_TOKEN values.

Like a lobster shell, security has layers — review code before you run it.

latestvk971zzhyt9y06dpcj9v2c2rnz984my1c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments