Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Image To Video Download Free

v1.0.0

Get downloadable video files ready to post, without touching a single slider. Upload your images (JPG, PNG, WEBP, HEIC, up to 200MB), say something like "con...

0· 38·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions: the skill uploads images and calls an external nemovideo.ai rendering API to produce downloadable videos. However, the SKILL.md metadata lists a config path (~/.config/nemovideo/) while the registry summary shows no required config paths — this mismatch is inconsistent. Also the skill declares NEMO_TOKEN as the primary credential but includes a full anonymous-token generation flow, so requiring the env var as mandatory is misleading.
Instruction Scope
Instructions are scoped to uploading user images, creating sessions, streaming edits via SSE, polling render status, and returning download URLs. The skill does not instruct reading arbitrary system files or unrelated credentials. One minor point: it derives X-Skill-Platform by inspecting install paths (e.g. ~/.clawhub/), which implies the agent may check certain filesystem paths — that should be limited to avoid unnecessary host info collection.
Install Mechanism
This is instruction-only with no install spec or code files, so nothing is written to disk by an installer. That lowers install risk.
!
Credentials
The skill lists NEMO_TOKEN as a required/primary env var, yet the runtime instructions explicitly generate an anonymous token if none is present. Requiring a persistent env token is therefore disproportionate or at least misleading. The metadata/configPaths inconsistency (registry: none vs SKILL.md: ~/.config/nemovideo/) also raises questions about where tokens/sessions are stored and whether the skill expects filesystem access to that config directory.
Persistence & Privilege
always:false and model-invocation is permitted (platform default). The skill does ask to store session_id and tokens for subsequent calls, which is normal for a remote API integration; it does not request system-wide or cross-skill config changes.
What to consider before installing
This skill appears to call an external nemovideo.ai service to render videos from your uploaded images, which fits its description. Before installing or enabling: (1) Ask the author how and where NEMO_TOKEN and session IDs are stored (in-memory vs on-disk in ~/.config/nemovideo/) and refuse if they want to write to unexpected locations. (2) If you don't already have a NEMO_TOKEN, confirm you consent to the skill generating an anonymous token on your behalf and that this token's scope and lifetime are acceptable. (3) Confirm the backend domain (mega-api-prod.nemovideo.ai) is the intended service and that uploads will only contain the images you provide. (4) If you are uncomfortable with the agent checking install paths to set X-Skill-Platform, request a version that omits that behavior. If the developer cannot explain the config/token storage and the need for a required env var that the skill can auto-create, treat the mismatch as a red flag and avoid installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN
latestvk97ev0btn041sf3gy4nqx0rem985aenw
38downloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0

Getting Started

Ready when you are. Drop your images here or describe what you want to make.

Try saying:

  • "convert three vacation photos in JPG format into a 1080p MP4"
  • "convert my photos into a video I can download for free"
  • "turning photos into a shareable MP4 video for social media creators"

First-Time Connection

When a user first opens this skill, connect to the processing backend automatically. Briefly let them know (e.g. "Setting up...").

Authentication: Check if NEMO_TOKEN is set in the environment. If it is, skip to step 2.

  1. Obtain a free token: Generate a random UUID as client identifier. POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token with header X-Client-Id set to that UUID. The response data.token is your NEMO_TOKEN — 100 free credits, valid 7 days.
  2. Create a session: POST to https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent with Authorization: Bearer <token>, Content-Type: application/json, and body {"task_name":"project","language":"<detected>"}. Store the returned session_id for all subsequent requests.

Keep setup communication brief. Don't display raw API responses or token values to the user.

Image to Video Download Free — Convert Photos to Downloadable Video

Send me your images and describe the result you want. The AI video creation runs on remote GPU nodes — nothing to install on your machine.

A quick example: upload three vacation photos in JPG format, type "convert my photos into a video I can download for free", and you'll get a 1080p MP4 back in roughly 20-40 seconds. All rendering happens server-side.

Worth noting: using fewer images with longer durations per image produces smoother results.

Matching Input to Actions

User prompts referencing image to video download free, aspect ratio, text overlays, or audio tracks get routed to the corresponding action via keyword and intent classification.

User says...ActionSkip SSE?
"export" / "导出" / "download" / "send me the video"→ §3.5 Export
"credits" / "积分" / "balance" / "余额"→ §3.3 Credits
"status" / "状态" / "show tracks"→ §3.4 State
"upload" / "上传" / user sends file→ §3.2 Upload
Everything else (generate, edit, add BGM…)→ §3.1 SSE

Cloud Render Pipeline Details

Each export job queues on a cloud GPU node that composites video layers, applies platform-spec compression (H.264, up to 1080x1920), and returns a download URL within 30-90 seconds. The session token carries render job IDs, so closing the tab before completion orphans the job.

All calls go to https://mega-api-prod.nemovideo.ai. The main endpoints:

  1. SessionPOST /api/tasks/me/with-session/nemo_agent with {"task_name":"project","language":"<lang>"}. Gives you a session_id.
  2. Chat (SSE)POST /run_sse with session_id and your message in new_message.parts[0].text. Set Accept: text/event-stream. Up to 15 min.
  3. UploadPOST /api/upload-video/nemo_agent/me/<sid> — multipart file or JSON with URLs.
  4. CreditsGET /api/credits/balance/simple — returns available, frozen, total.
  5. StateGET /api/state/nemo_agent/me/<sid>/latest — current draft and media info.
  6. ExportPOST /api/render/proxy/lambda with render ID and draft JSON. Poll GET /api/render/proxy/lambda/<id> every 30s for completed status and download URL.

Formats: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.

Headers are derived from this file's YAML frontmatter. X-Skill-Source is image-to-video-download-free, X-Skill-Version comes from the version field, and X-Skill-Platform is detected from the install path (~/.clawhub/ = clawhub, ~/.cursor/skills/ = cursor, otherwise unknown).

Every API call needs Authorization: Bearer <NEMO_TOKEN> plus the three attribution headers above. If any header is missing, exports return 402.

Draft field mapping: t=tracks, tt=track type (0=video, 1=audio, 7=text), sg=segments, d=duration(ms), m=metadata.

Timeline (3 tracks): 1. Video: city timelapse (0-10s) 2. BGM: Lo-fi (0-10s, 35%) 3. Title: "Urban Dreams" (0-3s)

Translating GUI Instructions

The backend responds as if there's a visual interface. Map its instructions to API calls:

  • "click" or "点击" → execute the action via the relevant endpoint
  • "open" or "打开" → query session state to get the data
  • "drag/drop" or "拖拽" → send the edit command through SSE
  • "preview in timeline" → show a text summary of current tracks
  • "Export" or "导出" → run the export workflow

SSE Event Handling

EventAction
Text responseApply GUI translation (§4), present to user
Tool call/resultProcess internally, don't forward
heartbeat / empty data:Keep waiting. Every 2 min: "⏳ Still working..."
Stream closesProcess final response

~30% of editing operations return no text in the SSE stream. When this happens: poll session state to verify the edit was applied, then summarize changes to the user.

Error Codes

  • 0 — success, continue normally
  • 1001 — token expired or invalid; re-acquire via /api/auth/anonymous-token
  • 1002 — session not found; create a new one
  • 2001 — out of credits; anonymous users get a registration link with ?bind=<id>, registered users top up
  • 4001 — unsupported file type; show accepted formats
  • 4002 — file too large; suggest compressing or trimming
  • 400 — missing X-Client-Id; generate one and retry
  • 402 — free plan export blocked; not a credit issue, subscription tier
  • 429 — rate limited; wait 30s and retry once

Tips and Tricks

The backend processes faster when you're specific. Instead of "make it look better", try "convert my photos into a video I can download for free" — concrete instructions get better results.

Max file size is 200MB. Stick to JPG, PNG, WEBP, HEIC for the smoothest experience.

Export as MP4 for widest compatibility across all devices and platforms.

Common Workflows

Quick edit: Upload → "convert my photos into a video I can download for free" → Download MP4. Takes 20-40 seconds for a 30-second clip.

Batch style: Upload multiple files in one session. Process them one by one with different instructions. Each gets its own render.

Iterative: Start with a rough cut, preview the result, then refine. The session keeps your timeline state so you can keep tweaking.

Comments

Loading comments...