by 安全扫描
OpenClaw
安全
medium confidenceThe skill's requirements and runtime instructions are coherent with an image→video cloud service: it needs a NEMO_TOKEN and talks to the nemovideo.ai API; nothing requested appears disproportionate, though there are a few small metadata/instruction inconsistencies you should be aware of.
评估建议
This skill appears to do what it says: it uploads your images and calls a third-party rendering API (mega-api-prod.nemovideo.ai) using a NEMO_TOKEN. Before installing, consider: (1) uploaded images and generated video will be sent to an external service — avoid sending sensitive images you wouldn't want stored/processed remotely; (2) the skill can create anonymous tokens itself if none are provided — verify you are comfortable with the service issuing ephemeral tokens and track how long they liv...详细分析 ▾
✓ 用途与能力
The skill describes a cloud video-rendering service and its SKILL.md only requires a single service token (NEMO_TOKEN) and makes API calls to a nemovideo.ai backend — this aligns with the declared purpose. Minor mismatch: registry metadata listed no required config paths, but the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/). This is likely benign but inconsistent.
ℹ 指令范围
Instructions are narrowly focused on session creation, file upload, SSE streaming, polling render status, and token renewal — all expected for a remote render service. The SKILL.md also instructs the agent to detect the install path to set an X-Skill-Platform header (checking ~/.clawhub/ and ~/.cursor/skills/). That implies reading local install paths (filesystem probing) which is outside the declared environment fields and should be noted.
✓ 安装机制
No install spec or downloaded code — instruction-only skill. Lowest install risk (nothing is written to disk by an installer).
ℹ 凭证需求
Only one credential is declared (NEMO_TOKEN), which is exactly what the service needs. The skill will auto-request an anonymous token via the public anonymous-token endpoint if NEMO_TOKEN is absent; that behavior is reasonable for a client but means the skill will make network calls to obtain tokens on first run. Also the SKILL.md references a config path (~/.config/nemovideo/) in its metadata even though the registry entry did not declare required config paths — a small inconsistency.
✓ 持久化与权限
The skill is not marked always:true and does not request system-wide privileges. It needs to hold session_id and tokens for operations, which is normal for a session-based remote service; the SKILL.md does not instruct modifying other skills or system configs.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/21
AI Image To Video — initial release - Convert static images (JPG, PNG, WEBP, HEIC, up to 200MB) into 1080p MP4 video clips using cloud GPUs. - Automatic setup with anonymous token generation (100 free credits, 7-day expiry). - Simple workflows: upload images, describe output, receive download link for rendered video. - Supports quick video generation with transitions, audio tracks, and text overlays. - Common export, status, and credits actions via user-friendly commands.
● Pending
安装命令
点击复制官方npx clawhub@latest install ai-image-to
镜像加速npx clawhub@latest install ai-image-to --registry https://cn.longxiaskill.com