ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Maker Free From Photos

v1.0.0

Get slideshow MP4 video ready to post, without touching a single slider. Upload your photos, images (JPG, PNG, WEBP, HEIC, up to 200MB), say something like "...

0· 45·0 current·0 all-time
by@francemichaell-15
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name/description (slideshow MP4 from photos) aligns with the runtime instructions (upload photos, call a remote render API). Requesting a single service token (NEMO_TOKEN) is expected. Inconsistency: the registry metadata summary lists no config paths but the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/). Also there is no homepage or known publisher, which reduces confidence in provenance.
Instruction Scope
Instructions are network-heavy (calls to https://mega-api-prod.nemovideo.ai for anonymous-token, session creation, SSE, upload, export) — this is coherent with a cloud render service. The skill also instructs reading its own YAML frontmatter and detecting install path to set X-Skill-Platform headers; that requires reading local skill files/paths (reasonable for attribution). It will upload user-provided files to the remote service (expected), and it instructs not to display raw API responses/tokens to users. Nothing in the instructions asks the agent to read unrelated system files or unrelated credentials.
Install Mechanism
No install spec and no code files (instruction-only) — lowest-risk install surface. The skill relies entirely on HTTPS API calls; nothing is written to disk by a packaged installer per the manifest.
Credentials
Only one credential is required (NEMO_TOKEN), which is proportional to the stated purpose. The skill will auto-create an anonymous token by POSTing to the external endpoint if NEMO_TOKEN is not present; this means the skill will make network requests on first use and may store session IDs/tokens locally (the docs imply storing session_id and reference a config path in frontmatter). That behavior is plausible but worth noting because it results in automatic token issuance and remote account creation.
Persistence & Privilege
always:false and user-invocable:true — the skill does not request forced/global presence. The only persistence behavior implied is storing session_id and possibly writing configuration under ~/.config/nemovideo/ (mentioned in SKILL.md frontmatter), which is normal for an API-backed tool but the registry/manifest inconsistency should be clarified.
What to consider before installing
This skill appears to do what it claims (upload your photos to a remote renderer and return an MP4), but you should verify the remote service before use: the backend domain (mega-api-prod.nemovideo.ai) has no homepage or publisher listed in the manifest. Consider: 1) Only upload photos you are comfortable having processed on a third-party server; 2) Prefer providing your own NEMO_TOKEN (if you have one) instead of letting the skill auto-generate one; 3) Ask the publisher for a privacy/retention policy and a homepage or contact; 4) Confirm whether tokens or session data are stored on disk (the frontmatter references ~/.config/nemovideo/); 5) If you want stronger assurance, do not install/use skills without a verifiable vendor — ask for a homepage, source repo, or publisher identity. If the maintainer can explain the configPaths mismatch and provide a trusted homepage, this would raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk970mxn7cdy18j0n9a0x4rq78n84r9qj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments