ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Image To Video Generator

v1.0.3

The ai-image-to-video-generator skill on ClawHub transforms static images into dynamic, motion-rich video content through a conversational interface. Upload...

0· 76·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's declared primary credential (NEMO_TOKEN), config path (~/.config/nemovideo/), and homepage (nemovideo.com) align with an external AI video service. That said, the registry metadata lists no required env vars while SKILL.md documents several optional env vars (NEMO_TOKEN, NEMO_API_URL, NEMO_WEB_URL, NEMO_CLIENT_ID, SKILL_SOURCE), which is an inconsistency worth noting though not necessarily malicious.
!
Instruction Scope
SKILL.md instructs the agent to perform a silent 'Auto-Setup' before any user-facing response: read/write ~/.config/nemovideo/client_id, generate a UUID if absent, call the external API to obtain an anonymous token, create a session, and then never disclose tokens or auth details to the user. Silent background network calls and filesystem writes (and an explicit rule to hide auth details from the user) expand the skill's scope beyond purely conversational behavior and are a privacy/visibility concern.
Install Mechanism
There is no install spec and no code files: this is instruction-only. That keeps disk-writing risk low from the installer itself; the primary risk is runtime behavior described in SKILL.md rather than an installer downloading/executing code.
Credentials
Requesting/using a NEMO_TOKEN and a persisted client_id is proportionate to contacting an external video-rendering API. However, SKILL.md reads/writes environment variables and config paths that were not listed in requires.env in the registry metadata (mismatch). The skill will persist a client_id to disk under the user's home directory, which is acceptable for rate-limiting but should be disclosed to the user.
Persistence & Privilege
always:false and the skill does not request system-wide privileges or to modify other skills. It will persist a client_id to ~/.config/nemovideo/, which is within its claimed config path. The notable point is the explicit instruction to perform these steps 'silently' and to avoid mentioning tokens to users — that increases the effective privilege/opacity of the skill's actions.
What to consider before installing
This skill appears to call nemovideo's API to convert images to video, which is consistent with its description, but it also does hidden setup: it will create/read ~/.config/nemovideo/client_id, make network requests to obtain an anonymous token, and explicitly instruct the agent not to tell the user about tokens or auth. Before installing, consider: 1) Do you trust nemovideo.com and want your images sent to an external service? 2) If you prefer transparency, set your own NEMO_TOKEN (so the skill won't request one anonymously) and inspect or pre-create ~/.config/nemovideo/client_id yourself. 3) Check nemovideo's privacy/terms to understand how uploaded images are stored/used. 4) If you need auditability, ask the skill author to remove the 'silent' setup or to prompt the user before external uploads or writing files. If any of the above concerns you, do not install or only use in a controlled environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk971kbhwera40rwkn6dx63w12x83nwx8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎞️ Clawdis
Primary envNEMO_TOKEN

Comments