Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Animation Generator
v1.0.0generate text or images into animated video clips with this skill. Works with PNG, JPG, MP4, GIF files up to 200MB. content creators, marketers, indie animat...
⭐ 0· 35·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (generate animations from images/text) aligns with the runtime instructions: the SKILL.md describes an API-driven cloud render flow and requires a NEMO_TOKEN. However, the SKILL.md metadata lists a config path (~/.config/nemovideo/) and requires detecting install path at runtime, while the registry metadata provided to the evaluator says no required config paths — this mismatch is an incoherence to clarify with the author.
Instruction Scope
Instructions direct the agent to call external endpoints (mega-api-prod.nemovideo.ai) for anonymous token issuance, session creation, SSE-based messaging, uploads and exports. Upload instructions explicitly allow multipart uploads from local filesystem paths (files=@/path) or URLs, and the skill tells the agent to detect install path and read the SKILL frontmatter at runtime. Those file-system and upload steps are plausible for a media upload service but also permit reading and transmitting arbitrary local files if the agent is given paths — this broad file-access capability is a potential exfiltration vector and should be constrained/clarified.
Install Mechanism
No install spec or downloaded code — instruction-only skill. That reduces supply-chain risk because nothing is written or executed on disk by an installer, but the skill will perform network calls at runtime to an external API.
Credentials
Only one credential (NEMO_TOKEN) is declared and used as the Bearer token for the API, which is proportionate to the described API usage. The SKILL.md also includes a flow to request an anonymous token from the API when NEMO_TOKEN isn't set, which is reasonable. The apparent mismatch between registry-declared config paths (none) and SKILL.md metadata (asks for ~/.config/nemovideo/) is a red flag: that path could contain other tokens/config and should be clarified.
Persistence & Privilege
The skill does not request 'always: true' or otherwise force permanent inclusion. It instructs saving session_id and using tokens for API calls, which is normal for a session-based cloud service. There is no instruction to modify other skills or global agent settings.
What to consider before installing
This skill appears to be an API client for an external video-render service and needs a NEMO_TOKEN (it can also request a temporary anonymous token). Before using it: 1) confirm the API domain (mega-api-prod.nemovideo.ai) is legitimate for the provider you trust; 2) ask the author to explain the config-path discrepancy (registry says none but SKILL.md references ~/.config/nemovideo/ and install-path detection); 3) be cautious about uploading files — the instructions allow the agent to upload local filesystem paths, which could exfiltrate sensitive files if misused; only provide media files you intend to send; 4) prefer supplying a limited-scope/short-lived token (or use the anonymous token flow) rather than long-lived credentials; and 5) if you need stronger assurance, ask for a signed skill from a known publisher or request a trimmed SKILL.md that forbids arbitrary local-path uploads and clarifies storage of session tokens.Like a lobster shell, security has layers — review code before you run it.
latestvk975ta51rqs1va8c9hyjmx1x0x84vqwq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN