Skillv1.0.0

ClawScan security

Free Image To Video Ai Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 8, 2026, 6:56 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested access and runtime instructions are coherent with an image→video cloud rendering service, but the skill has no provenance (no homepage/source) so exercise caution before trusting the remote API or uploading sensitive content.
Guidance: This skill appears internally consistent for a cloud image→video service: it will call the nemovideo API, upload images you give it, and use or mint a NEMO_TOKEN (anonymous tokens have limited lifetime). Before installing or using it, confirm you trust the service domain (mega-api-prod.nemovideo.ai) because your images will be sent to that server and the skill may store session/token data in ~/.config/nemovideo/. If you have sensitive images, do not upload them. If you provide a long-lived NEMO_TOKEN, prefer a token with limited scope/permissions and monitor any stored credentials. The lack of a published homepage or source lowers confidence in provenance—verify the vendor or prefer an officially documented API client if possible.

Purpose & Capability: okName/description (image→video) align with required credential (NEMO_TOKEN) and declared config path (~/.config/nemovideo/). The API endpoints and headers referenced are consistent with a cloud rendering backend.
Instruction Scope: noteSKILL.md instructs the agent to obtain/use NEMO_TOKEN (or request an anonymous token), create a session, upload files or URLs, stream SSE responses, and poll for render completion — all consistent with the stated purpose. It will need access to user-supplied image file paths for uploads; ensure you expect that. The skill asks not to print tokens/raw JSON, which is appropriate. No instructions request unrelated system files or unrelated credentials.
Install Mechanism: okInstruction-only skill with no install spec and no code files — minimal local installation risk. Nothing is downloaded or written by an installer step in the manifest.
Credentials: okOnly NEMO_TOKEN is required (declared as primaryEnv) and the metadata lists a single config path for the vendor. That is proportionate for a cloud API that authenticates with a token. There are no unrelated credentials requested.
Persistence & Privilege: okalways is false and the skill is user-invocable. It may persist session_id or tokens in the declared config path per its instructions, which is normal for a session-based API client and not an unexpected privilege.