ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Image To Videoopenai

v1.0.0

convert still images into animated video clips with this skill. Works with JPG, PNG, WEBP, GIF files up to 200MB. content creators and marketers use it for c...

0· 36·0 current·0 all-time
by@whitejohnk-26
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose — converting still images to short videos — aligns with the API calls and flows in SKILL.md (session creation, upload, render/export). However the skill name includes 'openai' while every endpoint and the described backend are for 'nemovideo.ai', which is misleading. Also the SKILL.md metadata references a config path (~/.config/nemovideo/) while the registry metadata listed no required config paths; this mismatch should be clarified.
!
Instruction Scope
Runtime instructions tell the agent to check for NEMO_TOKEN and if missing to request an anonymous token from https://mega-api-prod.nemovideo.ai and then upload user images and create render jobs. That behavior is coherent for an image→video service but has privacy implications: user-provided images will be transmitted to an external cloud service and the skill will autonomously obtain and use an anonymous token if none is provided. The doc also references detecting install path (~/.clawhub/, ~/.cursor/skills/) to set an attribution header, implying the agent may examine filesystem install paths to determine 'X-Skill-Platform'.
Install Mechanism
No install spec and no code files are present (instruction-only), so there is nothing being downloaded or written at install time. This is lower risk from an installation-execution perspective.
Credentials
Only one credential is declared (NEMO_TOKEN), which is appropriate for a remote rendering API. However SKILL.md describes creating or retrieving an anonymous NEMO_TOKEN itself if none exists (via an anonymous-token endpoint), and the frontmatter lists a config path that the registry metadata did not — this discrepancy should be reconciled. The skill does not request unrelated credentials, which is good.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It stores a session_id for job tracking (normal for this use), and there is no instruction to modify other skills or system-wide configurations.
What to consider before installing
This skill appears to do what it says (send images to a cloud service that renders short videos), but there are some things to check before installing: 1) The name contains 'openai' but the skill talks only to nemovideo.ai — ask the publisher why the name references OpenAI and confirm what backend actually runs your data. 2) Using the skill will upload your images to an external service and the skill will create or use an anonymous NEMO_TOKEN automatically if you don't provide one — do not send sensitive images unless you trust the service and its privacy policy. 3) Confirm whether the skill will read install/config paths (the SKILL.md references ~/.config/nemovideo/ and detection of install paths) — if you prefer no filesystem access, ask the author to remove that behavior. 4) If you plan to supply a NEMO_TOKEN, verify how long tokens persist and whether the service stores your media. If you need higher assurance, request source code or a privacy/security policy from the developer. If any answers are missing or unsatisfactory, treat the skill as potentially risky and avoid sending private or sensitive images.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN
latestvk970asx2g4110cdxr0synrfrcx85aebb
36downloads
0stars
1versions
Updated 21h ago
v1.0.0
MIT-0
@whitejohnk-26
latest
Download

Getting Started

Share your still images and I'll get started on AI video creation. Or just tell me what you're thinking.

Try saying:

  • "convert my still images"
  • "export 1080p MP4"
  • "turn this image into a 5-second"

Quick Start Setup

This skill connects to a cloud processing backend. On first use, set up the connection automatically and let the user know ("Connecting...").

Token check: Look for NEMO_TOKEN in the environment. If found, skip to session creation. Otherwise:

  • Generate a UUID as client identifier
  • POST https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token with X-Client-Id header
  • Extract data.token from the response — this is your NEMO_TOKEN (100 free credits, 7-day expiry)

Session: POST https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent with Bearer auth and body {"task_name":"project"}. Keep the returned session_id for all operations.

Let the user know with a brief "Ready!" when setup is complete. Don't expose tokens or raw API output.

Image to Video OpenAI — Convert Images into Video Clips

Drop your still images in the chat and tell me what you need. I'll handle the AI video creation on cloud GPUs — you don't need anything installed locally.

Here's a typical use: you send a a single product photo or illustration, ask for turn this image into a 5-second animated video clip, and about 30-90 seconds later you've got a MP4 file ready to download. The whole thing runs at 1080p by default.

One thing worth knowing — high-contrast images with clear subjects produce the most consistent motion results.

Matching Input to Actions

User prompts referencing image to videoopenai, aspect ratio, text overlays, or audio tracks get routed to the corresponding action via keyword and intent classification.

User says...ActionSkip SSE?
"export" / "导出" / "download" / "send me the video"→ §3.5 Export
"credits" / "积分" / "balance" / "余额"→ §3.3 Credits
"status" / "状态" / "show tracks"→ §3.4 State
"upload" / "上传" / user sends file→ §3.2 Upload
Everything else (generate, edit, add BGM…)→ §3.1 SSE

Cloud Render Pipeline Details

Each export job queues on a cloud GPU node that composites video layers, applies platform-spec compression (H.264, up to 1080x1920), and returns a download URL within 30-90 seconds. The session token carries render job IDs, so closing the tab before completion orphans the job.

All calls go to https://mega-api-prod.nemovideo.ai. The main endpoints:

  1. SessionPOST /api/tasks/me/with-session/nemo_agent with {"task_name":"project","language":"<lang>"}. Gives you a session_id.
  2. Chat (SSE)POST /run_sse with session_id and your message in new_message.parts[0].text. Set Accept: text/event-stream. Up to 15 min.
  3. UploadPOST /api/upload-video/nemo_agent/me/<sid> — multipart file or JSON with URLs.
  4. CreditsGET /api/credits/balance/simple — returns available, frozen, total.
  5. StateGET /api/state/nemo_agent/me/<sid>/latest — current draft and media info.
  6. ExportPOST /api/render/proxy/lambda with render ID and draft JSON. Poll GET /api/render/proxy/lambda/<id> every 30s for completed status and download URL.

Formats: mp4, mov, avi, webm, mkv, jpg, png, gif, webp, mp3, wav, m4a, aac.

Headers are derived from this file's YAML frontmatter. X-Skill-Source is image-to-videoopenai, X-Skill-Version comes from the version field, and X-Skill-Platform is detected from the install path (~/.clawhub/ = clawhub, ~/.cursor/skills/ = cursor, otherwise unknown).

All requests must include: Authorization: Bearer <NEMO_TOKEN>, X-Skill-Source, X-Skill-Version, X-Skill-Platform. Missing attribution headers will cause export to fail with 402.

Draft JSON uses short keys: t for tracks, tt for track type (0=video, 1=audio, 7=text), sg for segments, d for duration in ms, m for metadata.

Example timeline summary:

Timeline (3 tracks): 1. Video: city timelapse (0-10s) 2. BGM: Lo-fi (0-10s, 35%) 3. Title: "Urban Dreams" (0-3s)

Translating GUI Instructions

The backend responds as if there's a visual interface. Map its instructions to API calls:

  • "click" or "点击" → execute the action via the relevant endpoint
  • "open" or "打开" → query session state to get the data
  • "drag/drop" or "拖拽" → send the edit command through SSE
  • "preview in timeline" → show a text summary of current tracks
  • "Export" or "导出" → run the export workflow

Reading the SSE Stream

Text events go straight to the user (after GUI translation). Tool calls stay internal. Heartbeats and empty data: lines mean the backend is still working — show "⏳ Still working..." every 2 minutes.

About 30% of edit operations close the stream without any text. When that happens, poll /api/state to confirm the timeline changed, then tell the user what was updated.

Error Codes

  • 0 — success, continue normally
  • 1001 — token expired or invalid; re-acquire via /api/auth/anonymous-token
  • 1002 — session not found; create a new one
  • 2001 — out of credits; anonymous users get a registration link with ?bind=<id>, registered users top up
  • 4001 — unsupported file type; show accepted formats
  • 4002 — file too large; suggest compressing or trimming
  • 400 — missing X-Client-Id; generate one and retry
  • 402 — free plan export blocked; not a credit issue, subscription tier
  • 429 — rate limited; wait 30s and retry once

Tips and Tricks

The backend processes faster when you're specific. Instead of "make it look better", try "turn this image into a 5-second animated video clip" — concrete instructions get better results.

Max file size is 200MB. Stick to JPG, PNG, WEBP, GIF for the smoothest experience.

Export as MP4 for widest compatibility across social platforms.

Common Workflows

Quick edit: Upload → "turn this image into a 5-second animated video clip" → Download MP4. Takes 30-90 seconds for a 30-second clip.

Batch style: Upload multiple files in one session. Process them one by one with different instructions. Each gets its own render.

Iterative: Start with a rough cut, preview the result, then refine. The session keeps your timeline state so you can keep tweaking.

Comments

Loading comments...