Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Text To Image Ai Free
v1.0.0content creators generate text prompts into AI generated visuals using this skill. Accepts JPG, PNG, WEBP, MP4 up to 200MB, renders on cloud GPUs at 1080p, a...
⭐ 0· 62·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the runtime instructions and required env var (NEMO_TOKEN). The skill legitimately calls a remote rendering API and uploads user media. However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that is not listed in the registry-level 'required config paths' (registry metadata said none) — a metadata mismatch worth flagging.
Instruction Scope
Instructions tell the agent to check for NEMO_TOKEN and, if missing, generate a UUID and call the anonymous-token endpoint to obtain a token; to create sessions, upload user files, stream SSE, and poll state. These operations require network access and will send user media (up to 200MB) to the remote backend. The instructions also ask the agent to detect its install path to set an attribution header (this requires probing the filesystem), which is outside the declared env var but is used on every request. The flow is coherent for a rendering skill but expands agent actions beyond simple API calls (token creation + filesystem inspection + large file upload).
Install Mechanism
No install spec and no code files — instruction-only skill. This is low-install risk (nothing downloaded or written by an installer).
Credentials
Only one environment variable is declared (NEMO_TOKEN), which is appropriate for an API-backed rendering service. However SKILL.md implies creating and using an anonymous token automatically if none is present (the agent will call the auth endpoint to obtain a short-lived token). The SKILL.md frontmatter also references a config path (~/.config/nemovideo/) not present in the registry manifest — this mismatch means the skill may expect disk-based config that wasn't declared.
Persistence & Privilege
always:false and normal autonomous invocation are used; the skill does not request elevated or permanent platform privileges. There is no instruction to modify other skills or global agent settings. The potential persistence risk is that the agent could obtain and reuse an anonymous token (7-day expiry) if the runtime stores it — SKILL.md doesn't explicitly instruct storing tokens persistently.
What to consider before installing
This skill appears to do what it says (upload media and call a Nemo render API) but exercise caution before enabling it: 1) Prefer supplying your own NEMO_TOKEN from a trusted source rather than allowing the agent to generate an anonymous token on your behalf; 2) Be aware the agent will upload whatever files you give it (up to ~200MB) to an external service — check privacy/terms for sensitive content; 3) The instructions ask the agent to probe install paths to set headers and reference a config path in SKILL.md that isn't declared in the registry — if you want to limit filesystem access, confirm whether your agent runtime will actually perform those checks; 4) If you proceed, monitor network requests and avoid persisting tokens you don't control. If you need higher assurance, ask the publisher for source code or an official homepage and for clarification about where tokens are stored and what the config path is used for.Like a lobster shell, security has layers — review code before you run it.
latestvk97dce8ywcw3vp0kwtm8d3tm1h84kx2j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN