Skillv1.0.0

ClawScan security

Ai Image To Video Deevid · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 17, 2026, 5:26 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions align with its stated purpose (upload images and call a Nemovideo API using a NEMO_TOKEN), with only minor inconsistencies worth reviewing before use.
Guidance: This skill appears to do what it says: it uploads images to a Nemovideo backend and returns rendered MP4s. Before installing, consider: - NEMO_TOKEN is used as a Bearer auth credential; only provide a token scoped for this service (avoid reusing high-privilege or long-lived secrets). If you don't supply one, the skill will request an anonymous token from https://mega-api-prod.nemovideo.ai which gives limited free credits. - Files you upload will be sent to an external service (mega-api-prod.nemovideo.ai) and processed on cloud GPUs — check privacy/storage/retention policies before sending sensitive images. - The skill will read its own YAML frontmatter and may probe typical install paths (~/.clawhub/, ~/.cursor/skills/) to set an X-Skill-Platform header; this is only for attribution but does involve checking local paths. If you are uncomfortable with that, avoid enabling the skill or run it in an environment that doesn't expose those paths. - There is a small metadata mismatch (SKILL.md lists a config path while registry metadata shows none); harmless but worth noting. If you trust nemovideo.ai (or plan to use the anonymous token flow) and are comfortable with uploading images to a third-party cloud renderer, this skill is coherent and reasonable to use. If you need stronger guarantees about data handling or token scope, verify the service's terms or avoid supplying a personal NEMO_TOKEN.

Review Dimensions

Purpose & Capability: okThe skill claims to convert images to short videos and its instructions only require a NEMO_TOKEN and calls to nemovideo.ai endpoints — these are coherent and expected for a cloud-rendering video service. Minor inconsistency: the SKILL.md frontmatter advertises a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths; this is plausibly harmless but is an internal mismatch.
Instruction Scope: noteInstructions focus on establishing a session, uploading files, streaming SSE, and polling render status — all appropriate. They also instruct the agent to read the skill's YAML frontmatter (for version/source) and to detect install path (~/.clawhub/, ~/.cursor/skills/) to set an X-Skill-Platform header, which requires reading local install-path information; this is not strictly harmful but it does cause the agent to probe local paths for attribution purposes.
Install Mechanism: okThere is no install spec and no code files (instruction-only). Nothing is written to disk by an installer step — lowest-risk install mechanism.
Credentials: okThe only required environment variable is NEMO_TOKEN (declared as primaryEnv), which is proportionate for authenticating to the described API. The SKILL.md's additional mention of a config path is informational; no other unrelated secrets are requested.
Persistence & Privilege: okThe skill is not force-included (always: false) and requests no special persistent privileges or system-wide configuration changes. Autonomous invocation is allowed (platform default) but not combined with other high-risk requests.