ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Image Creator Online

v1.0.0

generate images or prompts into AI generated visuals with this skill. Works with JPG, PNG, WebP, MP4 files up to 200MB. marketers, content creators, social m...

0· 58·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and SKILL.md actions all describe remote image/video generation and session/rendering APIs, so the requested NEMO_TOKEN credential is coherent. However the metadata also lists a user config path (~/.config/nemovideo/) that the instructions do not reference; the skill's source is 'unknown' and there is no homepage, which reduces confidence in the provider.
Instruction Scope
Instructions are explicit about creating/using an anonymous or provided NEMO_TOKEN, creating sessions, streaming via SSE, uploading user files (images/audio/video up to 200MB), starting renders, and polling status. These actions are expected for a cloud render service. The runtime behavior will transmit user files and prompts to https://mega-api-prod.nemovideo.ai; that data exfiltration is expected for the stated feature but is a privacy risk given the unknown backend operator. The SKILL.md does not instruct reading other local secrets or files beyond optional configPaths, which reduces some risk.
Install Mechanism
No install spec and no code files (instruction-only). This minimizes local install risk — nothing is downloaded or written by an installer step.
!
Credentials
The only declared required env var is NEMO_TOKEN which matches the described API. However metadata also declares a configPaths entry (~/.config/nemovideo/) without any corresponding runtime instruction to read it; that mismatch is unexplained and suggests the skill might request access to local configuration it doesn't need. Additionally, relying on an externally minted anonymous token (created by calling the service) is plausible but means the skill will operate under credentials it creates or is given — understand what those credentials allow.
Persistence & Privilege
The skill is not marked always:true and does not request persistent platform privileges. It does describe storing and reusing a session token for render jobs (normal for this service) but does not request to modify other skills or system-wide settings.
What to consider before installing
This skill will upload whatever images, audio, and prompts you provide to https://mega-api-prod.nemovideo.ai and operate under a NEMO_TOKEN (either one you supply or an anonymous token it fetches). Before installing or using it: 1) Verify the service/operator (homepage, privacy policy, terms) — none are provided here. 2) Do not upload sensitive or private images (IDs, medical records, confidential designs) until you confirm data retention and sharing policies. 3) Ask why the skill metadata lists ~/.config/nemovideo/ (what would it read/write?) and whether it will ever access other local files. 4) If you use the anonymous token flow, understand how long tokens last and how to revoke them. 5) Prefer testing with non-sensitive sample data first. If you cannot verify the backend's trustworthiness, avoid using the skill for confidential material.

Like a lobster shell, security has layers — review code before you run it.

latestvk973mmqn1ek6g41rkrdcgfps8n84pgf7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments