ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Leonardo Ai

v1.0.2

Get a finished image file from Leonardo AI in under 60 seconds by dropping a text prompt into this skill. It's built for creators who need concept art, produ...

0· 27·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md directs calls to a Leonardo-like REST API and expects an API token (NEMO_TOKEN). Requested functionality (generate, upload, export, credits, session management) aligns with an image-generation skill.
Instruction Scope
Instructions are explicit about creating sessions, sending SSE messages, uploading files, polling results, and (if no NEMO_TOKEN is present) obtaining an anonymous token via the vendor's auth endpoint. They also instruct deriving attribution headers from the skill frontmatter and by detecting an install path, which implies reading agent install location. Those behaviors are coherent with the skill's purpose but are privacy-relevant (see guidance).
Install Mechanism
No install spec or code files are present (instruction-only). This is lowest-risk from an install perspective — nothing is downloaded or written by an installer step in the package itself.
Credentials
The skill declares a single required credential (NEMO_TOKEN), which is appropriate for a remote API integration. However the SKILL.md frontmatter also mentions a config path (~/.config/nemovideo/) that could be used to read or store credentials — the registry metadata you provided earlier did not list config paths, so this is an inconsistency to confirm with the publisher.
Persistence & Privilege
The skill is not always-enabled and uses the platform default (agent-autonomous invocation allowed). The SKILL.md implies tokens/sessions will be created and used, and may store or read config under ~/.config/nemovideo/ (metadata), but it does not explicitly request system-wide privileges or modify other skills. Verify whether tokens will be persisted to disk and where.
Assessment
This skill appears to do what it says: it needs an API token (NEMO_TOKEN) and will call https://mega-api-prod.nemovideo.ai to create sessions, upload files, and return generated images. Before installing: (1) Confirm the source — the skill's publisher/homepage is unknown. (2) Decide whether you want to provide a long‑lived NEMO_TOKEN; if not, use a short/ephemeral token or rely on the anonymous 7‑day token flow. (3) Be aware that the skill may read your agent install path and may read/write under ~/.config/nemovideo/ (the SKILL.md frontmatter contains that configPath but the registry metadata did not — ask the publisher to clarify). (4) Avoid sending highly sensitive local files to the service unless you trust the remote domain. If you need greater assurance, request the publisher add explicit statements about token storage, config file usage, and exactly which local paths (if any) are accessed or written.

Like a lobster shell, security has layers — review code before you run it.

latestvk97czh5rbyzjnz78468nyk8pxd84ened

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments