Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Photo Video Maker Arabic
v1.0.0turn photos and images into Arabic slideshow video with this photo-video-maker-arabic skill. Works with JPG, PNG, HEIC, WebP files up to 200MB. Arabic-speaki...
⭐ 0· 62·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the runtime instructions: it talks to a nemovideo cloud API to render Arabic slideshow videos and accepts image uploads. Requesting a NEMO_TOKEN credential is expected for that backend. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch is unexplained and worth confirming.
Instruction Scope
SKILL.md gives precise API calls (auth, session creation, SSE, upload, export). It instructs the agent to look for NEMO_TOKEN or otherwise call the anonymous-token endpoint to obtain one, to generate/store session_id, and to upload files (multipart or URL). These steps are within the skill's purpose. Two scope items to double-check: (1) the skill expects to auto-detect an install path to set X-Skill-Platform (may require reading agent or filesystem paths), and (2) the frontmatter's config path suggests the skill might read/write ~/.config/nemovideo/, but the instructions do not explicitly say where session tokens are persisted — confirm whether the skill will read/write that path.
Install Mechanism
This is instruction-only with no install spec and no code files, so nothing will be downloaded or written by an installer step. That is the lowest install risk.
Credentials
The only declared credential is NEMO_TOKEN, which is appropriate for a cloud-rendering backend. However: (a) SKILL.md will generate an anonymous token itself if NEMO_TOKEN is absent, so requiring NEMO_TOKEN as 'required' is inconsistent with the behavior described; (b) frontmatter lists a user config path (~/.config/nemovideo/) which would grant access to local config and possibly persisted tokens — this was not declared in the registry metadata and is not justified in the instructions. Both points should be clarified before trusting the skill with existing tokens or allowing it to access that config folder.
Persistence & Privilege
always:false (default) and no install script — good. The skill instructs keeping session_id for operations and may persist session state (implied by config path). This is reasonable for a session-based cloud service, but you should confirm where and how session or token data are stored and whether the skill will write into ~/.config/nemovideo/ or other locations.
What to consider before installing
This skill appears to be what it claims (a cloud photo-to-video service) but has a few inconsistencies to clarify before use: 1) Confirm whether the skill will read/write ~/.config/nemovideo/ (frontmatter mentions it but registry metadata did not). 2) Understand token handling: the skill can create an anonymous NEMO_TOKEN itself, so you should avoid pasting a long-lived or privileged token unless you trust nemovideo.ai. 3) Ask where session_id and any persisted tokens are stored and whether they are protected. 4) Review their privacy/terms for uploading images to an external service — uploaded images and generated tokens will be sent to mega-api-prod.nemovideo.ai. If these answers are satisfactory, the skill's behavior is coherent enough to use; if not, treat it as untrusted and do not supply existing credentials or sensitive images.Like a lobster shell, security has layers — review code before you run it.
latestvk97cjysnpk7h7mwe9ghv31w0z984m4w8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎞️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN