ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Image To Video No Filter

v1.0.0

Turn a single product photo or portrait image into 1080p unfiltered video clips just by typing what you need. Whether it's converting still images to video w...

0· 33·0 current·0 all-time
by@tk8544-b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (image→video) align with the endpoints, file types, and rendering pipeline described. Requiring a NEMO_TOKEN and a nemovideo config path is coherent for a hosted render service.
!
Instruction Scope
The SKILL.md instructs the agent to auto-request an anonymous token, create and store session_id, and to 'detect' platform by reading install paths (e.g., ~/.clawhub, ~/.cursor/skills) to set attribution headers. Reading install paths was not declared in the metadata's configPaths and is out-of-scope for a simple converter; automatic credential creation/persistence is sensitive and not fully specified (where/how to store secrets, and for how long).
Install Mechanism
Instruction-only skill with no install spec or code to download — lowest install risk. All runtime behavior is via network calls to the described API.
Credentials
Only NEMO_TOKEN is declared as required, which fits a hosted service. However, the skill instructs generating an anonymous token when none is present and storing it (the SKILL.md treats this token as NEMO_TOKEN). That implies the skill will create and persist credentials on the host — a capability users should be comfortable with. Also, the skill expects to read install paths (undocumented in requires.configPaths) to populate X-Skill-Platform attribution headers.
Persistence & Privilege
always:false and no claims to modify system-wide settings or other skills. The skill does request storing session_id and possibly the anonymous token, which is normal for a session-based remote service but should be understood by the user.
What to consider before installing
This skill talks to a remote rendering service (mega-api-prod.nemovideo.ai). Before installing: 1) Decide if you trust uploading images to that external service (they run renders on their GPUs). 2) Note the skill will automatically request an anonymous NEMO_TOKEN if you don't provide one and will persist that token/session locally — ask where tokens are saved and how to delete them. 3) The instructions tell the agent to read install paths to set attribution headers; this filesystem access wasn’t listed in the declared configPaths. If you need tighter control, provide your own NEMO_TOKEN (from the vendor) instead of allowing anonymous token creation, and confirm how/where tokens and session IDs are stored and expired. If you cannot verify the skill's source or token storage behavior, treat it as potentially risky and avoid installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk975tfw97yvt7yn9jnbxc8fqrn84v1a8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments