Back to skill
Skillv1.0.0
ClawScan security
Ai Image To Video Luma · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 5:55 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are internally consistent with its stated purpose (animating images via the NemoVideo/Luma-style API) and ask only for a single service token; there are no unrelated credentials, installs, or surprising behaviors in the SKILL.md.
- Guidance
- This skill appears coherent and implements a cloud image→video workflow. Before installing: (1) confirm you trust the domain (mega-api-prod.nemovideo.ai) and the service's privacy/billing policy, because your images and any uploaded audio will be sent to that backend; (2) provide a NEMO_TOKEN scoped only to this service (do not reuse unrelated high-privilege tokens); (3) test with non-sensitive images first to verify output and behavior; (4) note the skill will create sessions and may cache session data under ~/.config/nemovideo/ if the agent uses that path — clear/revoke tokens if you stop using it; (5) because this is instruction-only, no local code is installed, but the skill will still transmit data to an external API, so treat that as the main privacy risk.
Review Dimensions
- Purpose & Capability
- okThe name/description match the runtime instructions: the skill talks to a cloud rendering API at mega-api-prod.nemovideo.ai and needs a NEMO_TOKEN to authorize requests. Declared config path (~/.config/nemovideo/) and primaryEnv (NEMO_TOKEN) are reasonable for a cloud-rendering image→video service.
- Instruction Scope
- okSKILL.md limits actions to creating sessions, uploading files, streaming SSE messages, polling render state, and starting exports. It only references the declared env var (NEMO_TOKEN) and the single service domain. It does not instruct the agent to read unrelated local files, secrets, or system state beyond the declared config path and install path auto-detection for header attribution.
- Install Mechanism
- okNo install spec or code files are present (instruction-only skill), so nothing is downloaded or written to disk by an installer. This is the lowest-risk installation posture.
- Credentials
- noteOnly NEMO_TOKEN is requested, which is proportionate for a cloud API client. Note that possession of NEMO_TOKEN likely grants access to the user's jobs, uploads, and credits on the backend service — treat it like any API token and avoid reusing more-privileged tokens from other services. The metadata's config path (~/.config/nemovideo/) is declared; if the agent accesses it, that could contain cached tokens or session state.
- Persistence & Privilege
- okalways is false and the skill is instruction-only; it does not request permanent presence or system-wide configuration changes and does not modify other skills' configs.