Back to skill
Skillv1.0.0
ClawScan security
Image To Video Leonardo Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 6:29 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's required credential and runtime instructions align with a cloud image→video service; no unrelated privileges or suspicious installs are requested, but review privacy/hosting and a small metadata inconsistency before installing.
- Guidance
- This skill appears to do what it says: it uploads images to a cloud rendering API (mega-api-prod.nemovideo.ai) using a NEMO_TOKEN or an anonymous token it can obtain for you. Before installing, confirm you are comfortable with your images being sent to that external service (do not upload sensitive images). Verify the domain and service legitimacy if you plan to provide a permanent NEMO_TOKEN (use least-privilege/replaceable tokens). Ask the author to explain the YAML configPaths vs registry listing mismatch (~/.config/nemovideo/) and whether the agent will read local install paths — if you want to avoid any local filesystem reads, request removal of install-path detection. Finally, check the service's privacy/terms if you need guaranteed deletion, ownership, or retention policies for uploaded media.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: the SKILL.md describes uploading images, creating sessions, streaming events, rendering, and returning MP4s from an external API (mega-api-prod.nemovideo.ai). Requiring a single service token (NEMO_TOKEN) is proportionate to this purpose.
- Instruction Scope
- noteInstructions instruct the agent to POST/upload files and stream SSE responses to the nemo video backend and to include attribution headers. They also describe detecting an install path to set X-Skill-Platform and reference an optional local config path in YAML metadata. These actions are consistent with a cloud render flow but imply the agent will read runtime context (install path) and transmit user files to an external service — review if that data exfiltration is acceptable for your use case.
- Install Mechanism
- okNo install spec or code files are present (instruction-only), so nothing is downloaded or written to disk by an installer. This minimizes install-time risk.
- Credentials
- noteOnly NEMO_TOKEN is declared as required and is used to authorize API calls; the skill will obtain an anonymous token via the public API if NEMO_TOKEN is absent. This is proportionate. However, the SKILL.md YAML includes a configPaths entry (~/.config/nemovideo/) whereas the registry summary lists none — this metadata mismatch should be clarified before trusting any local config access.
- Persistence & Privilege
- okalways is false and there is no install-time persistence requested. The skill can be invoked autonomously by the agent (platform default), which is expected for skills of this type and is not in itself a concern.