ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Animation Generator Free

v1.0.0

Get animated video clips ready to post, without touching a single slider. Upload your text prompts or images (MP4, MOV, PNG, JPG, up to 200MB), say something...

0· 30·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: the skill sends prompts/files to a remote animation API and returns rendered video. Requesting a NEMO_TOKEN credential is expected for an API-backed service. However, the registry lists NEMO_TOKEN as required while the SKILL.md explicitly provides an anonymous-token fallback; that mismatch is inconsistent and could confuse users about whether they must supply a token. The metadata also declares a config path (~/.config/nemovideo/) that the SKILL.md does not clearly need.
Instruction Scope
Instructions are focused on the animation workflow (session creation, SSE, upload, export, polling). They instruct uploading user files and possibly polling for job completion — expected for this service but privacy-relevant because user files and prompts are sent to a third-party API (mega-api-prod.nemovideo.ai). The skill also asks the agent to detect install path to populate an X-Skill-Platform header (reading common install paths) — a minor filesystem probe that isn't harmful but isn't declared explicitly in required config paths beyond the earlier ~/.config/nemovideo/ entry. Overall scope is coherent with purpose but has privacy/network implications users should know.
Install Mechanism
No install spec or code is present (instruction-only). Nothing will be written to disk by an installer as part of this skill package, which lowers risk.
Credentials
Only a single credential (NEMO_TOKEN) is declared as primary, which is proportionate for an API client. However, SKILL.md will obtain an anonymous token when NEMO_TOKEN is absent, meaning NEMO_TOKEN isn't strictly required despite being listed as required in registry metadata — this inconsistency should be clarified. The declared config path (~/.config/nemovideo/) is plausible but not clearly used by the instructions.
Persistence & Privilege
The skill is not forced-always or requesting persistent elevated privileges. It is user-invocable and allowed autonomous invocation by default (normal for skills). It does not request modification of other skills or system-wide settings.
What to consider before installing
This skill routes user prompts and uploaded files to a third-party API (mega-api-prod.nemovideo.ai). Before installing, consider: 1) Privacy: any images, videos, or text you send will be uploaded to that external service — do not send sensitive or private data unless you trust the endpoint. 2) Token handling: the registry claims NEMO_TOKEN is required, but the instructions will request an anonymous token if none is present; decide whether you want to supply a personal token or let the skill use an ephemeral anonymous token. 3) Source trust: the skill has no homepage and an unknown owner — verify the service/organization independently if possible. 4) Attribution headers: the skill may probe common install paths to populate an X-Skill-Platform header; this is minor but worth knowing. If you need this capability but are concerned about confidentiality, prefer services with clear provenance, a privacy policy, and an audited client implementation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cw5ndbnm2be04fdhnzkdenx84t8x0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments