ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Image Editor Free

v1.0.0

Tired of paying monthly fees just to crop, retouch, or enhance a photo? ai-image-editor-free gives you powerful AI-driven image editing without a price tag....

0· 34·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with a cloud image-editing service and the SKILL.md instructs use of nemo API endpoints accordingly. However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch is unexplained and worth clarifying (why the skill would need to read a user config directory). Homepage/source are unknown which reduces ability to verify legitimacy.
Instruction Scope
Instructions are focused on creating an anonymous token, creating a session, uploading images, using SSE for edits, and polling export results — all consistent with a remote image-editing API. They require generating/storing a token and saving session_id. The skill also instructs detecting install path to populate an X-Skill-Platform header and refers to reading the YAML frontmatter at runtime. The instructions do not ask for unrelated secrets, but they do imply reading/writing a token and possibly reading a user config path (per frontmatter) and local file paths when uploading — which has privacy implications for user files.
Install Mechanism
No install spec and no code files — instruction-only. This is low-risk from an installation-code perspective (nothing downloaded or written by an installer).
Credentials
Only one credential is declared (NEMO_TOKEN) which is appropriate for a service that uses bearer auth. The SKILL.md covers anonymous token acquisition if the env var is absent. The remaining concern is the frontmatter's config path (~/.config/nemovideo/) which could allow the skill to read stored credentials or other local config; it's not justified explicitly in the registry metadata and should be explained.
Persistence & Privilege
Skill does not request always: true and is user-invocable only; model invocation is allowed (default). Nothing requests elevated system-wide configuration or automatic forced inclusion.
What to consider before installing
This appears to be a straightforward cloud image-editing skill that uses a Nemo backend and a single NEMO_TOKEN credential. Before installing: 1) Verify the API host (mega-api-prod.nemovideo.ai) is the genuine service you expect and check for an official homepage or repo; the package metadata lacks a homepage/source. 2) Confirm you are comfortable with images being uploaded to that remote service (privacy/PII risk). 3) Ask the maintainer why the SKILL.md frontmatter lists ~/.config/nemovideo/ (will the skill read that directory or stored tokens?) — the registry metadata did not declare that config path. 4) Ensure you only supply NEMO_TOKEN (or allow the skill to obtain an anonymous token) and do not provide unrelated secrets. 5) If you want a lower-risk test, run the skill in a restricted environment or with dummy images/tokens first. If the owner/source cannot be verified or they cannot explain the config-path mismatch, avoid installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk974deysthdpc4n62yjsjjfymn843r9f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments