ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Image To Video Dance

v1.0.0

Turn a single portrait photo of a person into 1080p dancing video clips just by typing what you need. Whether it's animating photos of people into dancing vi...

0· 42·0 current·0 all-time
by@tk8544-b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the declared primaryEnv (NEMO_TOKEN) and cloud-render workflow. However the SKILL.md frontmatter lists a configPath (~/.config/nemovideo/) that is not present in the registry metadata — an inconsistency between what the file claims it will use and what the skill declares.
!
Instruction Scope
Instructions direct the agent to obtain/upload user images and to POST/GET many endpoints on mega-api-prod.nemovideo.ai (auth, upload, render, state). They also instruct detecting the install path to set an attribution header and reference storing session_id and using/setting NEMO_TOKEN. Reading/writing '~/.config/nemovideo/' and probing install paths could expose local info; uploading user photos and tokens to an external service is expected for this capability but is a privacy-sensitive action that users should explicitly accept.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes disk footprint and installer risk.
Credentials
Only NEMO_TOKEN is declared as required, which is proportionate for a third-party API. But SKILL.md also references a local config directory and asks the agent to derive headers from an install path — those local accesses are not justified by the registry listing and may expose additional local state.
Persistence & Privilege
The skill instructs saving a session_id and potentially storing/using an acquired anonymous token (NEMO_TOKEN). It does not request always:true, nor does it attempt to modify other skills, but persistent session tokens and local config writes are possible and should be limited/inspected.
What to consider before installing
This skill will upload images and session tokens to a third-party service (mega-api-prod.nemovideo.ai) and may read/write a local config directory and probe install paths. That is coherent with an online image-to-video renderer, but you should: 1) confirm the service's identity and privacy/retention policy before sending photos (avoid sensitive images), 2) prefer using an anonymous/ephemeral token (and verify where the agent stores it), 3) be cautious about allowing the skill to read '~/.config/nemovideo/' or detect install paths because that can reveal local info, and 4) if unsure about the origin of this skill (source is unknown), do not install or test with real personal data until you can verify the domain and operator.

Like a lobster shell, security has layers — review code before you run it.

latestvk9729ng4x7zrew9as2x8j9mqgh84sp4w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💃 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments