Skillv1.0.0

ClawScan security

Free Video Maker From Photo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 22, 2026, 7:54 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions align with its stated purpose (cloud-based photo→video rendering) but lacks public source/homepage and includes minor metadata that could leak local config info — review before uploading sensitive images or using a long-lived token.
Guidance: This skill appears coherent for turning photos into cloud-rendered videos, but before installing consider: (1) All user images will be uploaded to mega-api-prod.nemovideo.ai — do not send private or sensitive images unless you trust that service and its privacy policy. (2) The skill will use NEMO_TOKEN if present; only supply a token you control and trust. If you don’t want to provide a token, the agent will request an anonymous 7‑day token automatically — that is ephemeral but still sends data to the remote service. (3) Metadata references a local config path and auto-detection of install path; this could reveal whether local config exists or expose a local path string. (4) The skill has no public source or homepage — request the vendor/service URL, privacy policy, or source code before wide use. If you need higher assurance, ask for: the service's official domain verification, a privacy/retention policy, where tokens are stored (if at all), and sample API responses. Revoke any token you supply if you stop using the skill.

Purpose & Capability: okThe skill is a cloud video-renderer and only requests a single service credential (NEMO_TOKEN) and references a nemovideo config path; these items match the described API interactions and upload workflow.
Instruction Scope: noteSKILL.md precisely instructs the agent to create sessions, upload user images, open SSE streams, poll render status, and return download URLs to a single remote host (mega-api-prod.nemovideo.ai). That behavior is expected for a cloud rendering service but does mean user files are uploaded to an external service. The skill also auto-acquires an anonymous token if NEMO_TOKEN is absent.
Install Mechanism: okNo install spec or code is present (instruction-only), so no binaries or archives will be written to disk during installation.
Credentials: noteOnly NEMO_TOKEN is required (declared as primary). The metadata also lists a config path (~/.config/nemovideo/) and asks to auto-detect an install path for X-Skill-Platform — this is plausible for locating an existing token or platform info but is not strictly necessary for core functionality and could expose local path/config presence.
Persistence & Privilege: okThe skill is not force-enabled (always:false) and does not request system-wide changes. It can be invoked autonomously by the agent (default), which is normal; nothing in the manifest asks to modify other skills or global settings.