ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

free-kameo

v1.0.0

Generate expressive talking-head videos from static images using Kameo AI. Converts static avatars/portraits into dynamic 5-second videos with realistic facial expressions, lip-sync, and motion. Use when you need to bring static images to life, create AI character videos, demonstrate visual communication, or generate talking avatars from photos.

2· 1.7k·2 current·2 all-time
by@veya2ztn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's code and instructions match the stated purpose: scripts take an image, build a prompt, and call api.kameo.chat to generate videos. Requiring a KAMEO_API_KEY is expected. However, package.json advertises required binaries (curl, jq, base64) while the registry metadata lists none — a metadata mismatch. Overall capability aligns with purpose but the declared requirements are incomplete.
!
Instruction Scope
Enhancement and generation scripts instruct the agent to: read an image file, base64-encode it, send it to https://generativelanguage.googleapis.com (Gemini) for scene analysis and to https://api.kameo.chat for generation. The SKILL.md/USAGE omit mentioning the required GOOGLE_API_KEY while enhance_prompt.sh requires it and will transmit the image to Google. The scripts also read/write ~/.config/kameo/credentials.json (normal for storing API keys). Sending user images to external services (Google + Kameo CDN) is privacy-sensitive and not fully documented in the manifest.
Install Mechanism
There is no install spec (no downloads or archives), which lowers installation risk. All code is delivered as plain shell/python scripts. This is lower-risk than remote downloads, but package.json and scripts expect standard CLI tools (curl, jq, base64, python3) — the registry metadata failed to declare those requirements.
!
Credentials
The skill actually requires KAMEO_API_KEY (and optionally stores it in ~/.config/kameo/credentials.json). enhance_prompt.sh also requires GOOGLE_API_KEY to call Gemini; neither env var is declared in the registry metadata. The docs include an example API key string embedded in SKILL.md/USAGE.md (kam_I3rdx43...), which could be a leaked or placeholder key — presence of such a token in docs is suspicious and should be validated. register.sh references SUPABASE_URL and SUPABASE_ANON_KEY placeholders; if misconfigured they could expose credentials during registration flows.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent settings. It writes only to its own config path (~/.config/kameo/credentials.json) when registering a key (with chmod 600), which is appropriate for storing a service API key.
What to consider before installing
Before installing, verify a few things: (1) Confirm the source/repository and that kameo.chat and the GitHub repo (package.json) are legitimate; anonymous/unknown source is riskier. (2) Expect to provide KAMEO_API_KEY — the scripts require it even though the registry metadata lists none. (3) The prompt-enhancement step calls Google Generative Language (Gemini) and requires GOOGLE_API_KEY; if you don't want images sent to Google, skip enhancement or remove that step. (4) Remove or validate the example API key shown in the docs — do not assume it is valid or safe to use. (5) Ensure you have the CLI tools used by the scripts (curl, jq, base64, python3). (6) Review register.sh placeholders (SUPABASE_URL / SUPABASE_ANON_KEY) before running to avoid sending credentials to an unexpected Supabase project. (7) Consider running the scripts in an isolated environment and inspect network calls (to api.kameo.chat and generativelanguage.googleapis.com) to confirm behavior. Finally, ask the publisher to update the skill metadata to list required env vars and binaries and to remove any hardcoded example keys from published docs.

Like a lobster shell, security has layers — review code before you run it.

latestvk975v5wzwhd2qz76zs7e3pqa6980ggbg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments