Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Photo Editor Ai
v1.0.0Tell me what you need and I'll transform your photos into polished, professional images in seconds. photo-editor-ai handles everything from background remova...
⭐ 0· 30·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (photo editing) aligns with networked image uploads and remote processing. However, the registry declares NEMO_TOKEN as required while the runtime instructions include a fallback to auto-generate an anonymous token — an incoherence about whether a user-provided credential is actually mandatory. The SKILL.md metadata also references a config path (~/.config/nemovideo/) that is not listed in the top-level registry requirements, which is inconsistent.
Instruction Scope
Instructions direct the agent to upload user image files and/or URLs to https://mega-api-prod.nemovideo.ai and to create and store session tokens. They also tell the agent to detect install paths (~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform, which requires probing the user's filesystem. Hiding raw API responses and token values is explicitly requested — while plausible for UX, it also reduces transparency. All of these actions are within a photo-editing skill's surface (cloud processing) but broaden scope to include filesystem checks and credential management that should be highlighted to users.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the installer itself. That reduces installer risk.
Credentials
Only one credential (NEMO_TOKEN) is declared, which is appropriate for calling the backend. But the README instructs the skill to generate an anonymous token if NEMO_TOKEN is missing, so requiring NEMO_TOKEN in metadata is misleading. The SKILL.md also references a config path in its frontmatter that was not declared in the registry; reading that directory would access user config outside the declared env variables.
Persistence & Privilege
The skill does not request always:true and is not force-enabled. It instructs storing a session_id and token for subsequent requests; that is expected for a session-based API but you should confirm where and how session data is stored (in-memory vs persisted to disk). Autonomous invocation is allowed (platform default), which increases blast radius if the skill were malicious but is not by itself unusual.
What to consider before installing
This skill acts like a cloud photo editor and will upload your images to mega-api-prod.nemovideo.ai and manage session tokens. Before installing: (1) confirm you trust the nemovideo.ai service and its privacy policy because your images (possibly sensitive) will be sent off-device; (2) ask the author to clarify why NEMO_TOKEN is listed as required when the skill auto-creates anonymous tokens — that inconsistency affects whether the skill truly needs your credential; (3) request confirmation where session tokens/session_id are stored (memory vs disk) and what, if anything, is persisted under ~/.config/nemovideo/; (4) be aware the skill probes install paths (~/.clawhub/, ~/.cursor/) which reads parts of your filesystem — if you are uncomfortable with that, do not install; and (5) if you must use it, prefer supplying a limited-scope account and avoid uploading highly sensitive images until the above points are clarified.Like a lobster shell, security has layers — review code before you run it.
latestvk97418aw78jydxkyw8npxkgkrx8434kc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖼️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN