Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Japanese Photo Video Maker
v1.0.0Japanese content creators create Japanese photos into photo slideshow video using this skill. Accepts JPG, PNG, HEIC, WebP up to 200MB, renders on cloud GPUs...
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (turn photos into slideshow videos) align with the runtime instructions (upload photos, request renders from a cloud GPU backend). Requiring NEMO_TOKEN and calls to nemovideo.ai are coherent with the stated purpose. Note: the registry metadata earlier listed no config paths but the SKILL.md frontmatter declares a config path (~/.config/nemovideo/), an inconsistency that should be resolved.
Instruction Scope
Instructions direct the agent to upload user photos and metadata to https://mega-api-prod.nemovideo.ai, obtain or reuse a bearer token (NEMO_TOKEN), open SSE streams, poll render status, and persist a session_id for subsequent requests. Uploading user media to an external service is expected for this functionality, but the skill also instructs automatic anonymous-token creation when NEMO_TOKEN is absent and to 'store the returned session_id' without specifying storage scope or retention—this may lead to persistent credentials/config being written to disk or retained across sessions. The SKILL.md also instructs not to display raw API responses or tokens to the user, which could hide sensitive values if stored.
Install Mechanism
Instruction-only skill with no install spec and no code files: nothing is written to disk by an install step. This is the lowest install risk.
Credentials
Only NEMO_TOKEN is declared as a required environment variable (primary credential), which is appropriate for a service that authenticates requests. However, the SKILL.md frontmatter also declares a config path (~/.config/nemovideo/) not present in the registry metadata—this mismatch is unexplained. The skill will generate an anonymous token if none exists, which is reasonable but means credentials may be created and used transparently.
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation, which is expected. The concern is that it instructs persisting a session_id and the frontmatter lists a config directory; storing session tokens or config on disk would increase the blast radius if those files are accessible to other processes or skills. There is no justification in metadata for persistent config beyond the SKILL.md, and no guidance on how long tokens/sessions are retained or how a user can revoke them.
What to consider before installing
This skill appears to do what it says (upload photos to a cloud renderer) but you should be careful before installing: 1) Understand privacy: your photos and any metadata will be sent to mega-api-prod.nemovideo.ai — only upload content you are comfortable sharing with a third party. 2) Ask the publisher for source/homepage and clarify where session tokens are stored (in-memory vs ~/.config/nemovideo/) and how to delete/revoke them. 3) If you don't want persistent credentials/files, do not set NEMO_TOKEN and verify the agent does not write tokens to disk; consider running in an environment where written config is ephemeral. 4) If you are concerned about autonomous use, restrict or monitor the skill's permissions and network activity. 5) If you need higher assurance, request an official endpoint description, privacy policy, and verify the domain/owner before providing real content.Like a lobster shell, security has layers — review code before you run it.
latestvk97aay50g3ssqkyspbwyhnb0m584mqn3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎌 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN