Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Image To Video Effect

v1.0.0

convert images into animated video clips with this skill. Works with JPG, PNG, WEBP, HEIC files up to 200MB. TikTok creators use it for turning still photos...

0· 37·0 current·0 all-time
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (animate images into videos) aligns with required credential (NEMO_TOKEN) and the documented API endpoints on nemovideo.ai. The only minor inconsistency: the registry summary listed no config paths, but the SKILL.md frontmatter declares a config path (~/.config/nemovideo/). This is plausible (client config storage) but the mismatch in metadata should be noted.
Instruction Scope
Runtime instructions stay within the stated purpose (upload images, create session, run SSE edits, poll export). The skill instructs the agent to automatically obtain an anonymous token if NEMO_TOKEN is not present, to create and store a session_id, and to detect the agent's install path to set X-Skill-Platform — these behaviors will cause network calls to the nemovideo API and require reading some local path information. There are no instructions to read unrelated files or other credentials, but the automatic token creation and implicit local-path detection are operational details you should be aware of.
Install Mechanism
Instruction-only skill with no install spec and no files written by an installer, which is the lowest-risk install model.
Credentials
The single required environment variable (NEMO_TOKEN) is appropriate for a service-backed renderer. The SKILL.md provides a flow to acquire an anonymous token when none is supplied (short-lived, 7 days), which is consistent with the declared primaryEnv. The earlier registry summary claiming no config paths vs. frontmatter declaring ~/.config/nemovideo/ is an inconsistency to clarify. No unrelated credentials are requested.
Persistence & Privilege
Skill is not force-included (always:false) and does not request elevated or cross-skill configuration changes. It does instruct storing a session_id for ongoing job management, which is normal for a remote-rendering workflow.
Assessment
This skill appears to do what it claims: it uploads your images to a Nemovideo backend and returns rendered MP4s. Before installing, consider: (1) you will send image data and session/job metadata to https://mega-api-prod.nemovideo.ai — verify you trust that service and its privacy/retention policy; (2) the skill can auto-generate and use an anonymous NEMO_TOKEN if you don't provide one (tokens last ~7 days), so it can initiate network activity without you pre-configuring credentials; (3) there is a minor metadata mismatch (SKILL.md lists a config path that the registry summary omitted) — ask the publisher to clarify where/if files or tokens are persisted locally; (4) because there's no source/homepage, you cannot independently audit the backend or operator — if that matters for sensitive images, avoid uploading them. If you want higher assurance, request the skill publisher's homepage/privacy policy or run the skill in a controlled environment and monitor outbound requests before using it with private content.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎞️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN
latestvk970hh2s7sctvsache6bs464gn85bmsk
37downloads
0stars
1versions
Updated 21h ago
v1.0.0
MIT-0

Getting Started

Ready when you are. Drop your images here or describe what you want to make.

Try saying:

  • "convert a single product photo or portrait image into a 1080p MP4"
  • "animate this image with a cinematic zoom and motion effect"
  • "turning still photos into motion videos for social media for TikTok creators"

First-Time Connection

When a user first opens this skill, connect to the processing backend automatically. Briefly let them know (e.g. "Setting up...").

Authentication: Check if NEMO_TOKEN is set in the environment. If it is, skip to step 2.

  1. Obtain a free token: Generate a random UUID as client identifier. POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token with header X-Client-Id set to that UUID. The response data.token is your NEMO_TOKEN — 100 free credits, valid 7 days.
  2. Create a session: POST to https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent with Authorization: Bearer <token>, Content-Type: application/json, and body {"task_name":"project","language":"<detected>"}. Store the returned session_id for all subsequent requests.

Keep setup communication brief. Don't display raw API responses or token values to the user.

AI Image to Video Effect — Animate Images into Video Clips

Send me your images and describe the result you want. The AI video creation runs on remote GPU nodes — nothing to install on your machine.

A quick example: upload a single product photo or portrait image, type "animate this image with a cinematic zoom and motion effect", and you'll get a 1080p MP4 back in roughly 20-40 seconds. All rendering happens server-side.

Worth noting: high-contrast images with clear subjects produce the most noticeable motion effects.

Matching Input to Actions

User prompts referencing ai image to video effect, aspect ratio, text overlays, or audio tracks get routed to the corresponding action via keyword and intent classification.

User says...ActionSkip SSE?
"export" / "导出" / "download" / "send me the video"→ §3.5 Export
"credits" / "积分" / "balance" / "余额"→ §3.3 Credits
"status" / "状态" / "show tracks"→ §3.4 State
"upload" / "上传" / user sends file→ §3.2 Upload
Everything else (generate, edit, add BGM…)→ §3.1 SSE

Cloud Render Pipeline Details

Each export job queues on a cloud GPU node that composites video layers, applies platform-spec compression (H.264, up to 1080x1920), and returns a download URL within 30-90 seconds. The session token carries render job IDs, so closing the tab before completion orphans the job.

All calls go to https://mega-api-prod.nemovideo.ai. The main endpoints:

  1. SessionPOST /api/tasks/me/with-session/nemo_agent with {"task_name":"project","language":"<lang>"}. Gives you a session_id.
  2. Chat (SSE)POST /run_sse with session_id and your message in new_message.parts[0].text. Set Accept: text/event-stream. Up to 15 min.
  3. UploadPOST /api/upload-video/nemo_agent/me/<sid> — multipart file or JSON with URLs.
  4. CreditsGET /api/credits/balance/simple — returns available, frozen, total.
  5. StateGET /api/state/nemo_agent/me/<sid>/latest — current draft and media info.
  6. ExportPOST /api/render/proxy/lambda with render ID and draft JSON. Poll GET /api/render/proxy/lambda/<id> every 30s for completed status and download URL.

Formats: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.

Headers are derived from this file's YAML frontmatter. X-Skill-Source is ai-image-to-video-effect, X-Skill-Version comes from the version field, and X-Skill-Platform is detected from the install path (~/.clawhub/ = clawhub, ~/.cursor/skills/ = cursor, otherwise unknown).

All requests must include: Authorization: Bearer <NEMO_TOKEN>, X-Skill-Source, X-Skill-Version, X-Skill-Platform. Missing attribution headers will cause export to fail with 402.

Draft field mapping: t=tracks, tt=track type (0=video, 1=audio, 7=text), sg=segments, d=duration(ms), m=metadata.

Timeline (3 tracks): 1. Video: city timelapse (0-10s) 2. BGM: Lo-fi (0-10s, 35%) 3. Title: "Urban Dreams" (0-3s)

Translating GUI Instructions

The backend responds as if there's a visual interface. Map its instructions to API calls:

  • "click" or "点击" → execute the action via the relevant endpoint
  • "open" or "打开" → query session state to get the data
  • "drag/drop" or "拖拽" → send the edit command through SSE
  • "preview in timeline" → show a text summary of current tracks
  • "Export" or "导出" → run the export workflow

SSE Event Handling

EventAction
Text responseApply GUI translation (§4), present to user
Tool call/resultProcess internally, don't forward
heartbeat / empty data:Keep waiting. Every 2 min: "⏳ Still working..."
Stream closesProcess final response

~30% of editing operations return no text in the SSE stream. When this happens: poll session state to verify the edit was applied, then summarize changes to the user.

Error Codes

  • 0 — success, continue normally
  • 1001 — token expired or invalid; re-acquire via /api/auth/anonymous-token
  • 1002 — session not found; create a new one
  • 2001 — out of credits; anonymous users get a registration link with ?bind=<id>, registered users top up
  • 4001 — unsupported file type; show accepted formats
  • 4002 — file too large; suggest compressing or trimming
  • 400 — missing X-Client-Id; generate one and retry
  • 402 — free plan export blocked; not a credit issue, subscription tier
  • 429 — rate limited; wait 30s and retry once

Common Workflows

Quick edit: Upload → "animate this image with a cinematic zoom and motion effect" → Download MP4. Takes 20-40 seconds for a 30-second clip.

Batch style: Upload multiple files in one session. Process them one by one with different instructions. Each gets its own render.

Iterative: Start with a rough cut, preview the result, then refine. The session keeps your timeline state so you can keep tweaking.

Tips and Tricks

The backend processes faster when you're specific. Instead of "make it look better", try "animate this image with a cinematic zoom and motion effect" — concrete instructions get better results.

Max file size is 200MB. Stick to JPG, PNG, WEBP, HEIC for the smoothest experience.

Export as MP4 for widest compatibility across all social platforms.

Comments

Loading comments...