Skillv1.0.0

ClawScan security

Free Image To Video Generator Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 7:54 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions mostly match a cloud image→video service, but there are inconsistencies in the declared metadata vs. the SKILL.md and some ambiguous steps that could cause the agent to read environment/install paths or contact an unfamiliar external API — review before installing.
Guidance: This skill appears to be a front-end for a cloud image→video service and will send your uploaded images to https://mega-api-prod.nemovideo.ai for processing. Before installing: (1) confirm you trust that external domain and the service's privacy policy (uploads may include sensitive content); (2) ask the publisher to resolve metadata mismatches (registry says no config paths but SKILL.md lists ~/.config/nemovideo/ and the skill declares NEMO_TOKEN required yet describes creating an anonymous token if missing); (3) clarify what the agent must read from the environment or local filesystem to 'auto-detect' platform and to build attribution headers; and (4) consider whether you want the agent to be able to upload files off your device to a third-party API. If any answers are unsatisfactory, do not install or run the skill with sensitive content.

Review Dimensions

Purpose & Capability: noteThe name/description (convert images to video) aligns with the API endpoints and actions described in SKILL.md (upload, render, export). Requesting a NEMO_TOKEN as the primary credential is consistent with a cloud rendering service. However, registry metadata says no config paths while the skill frontmatter includes a configPaths entry (~/.config/nemovideo/), which is an inconsistency the publisher should clarify.
Instruction Scope: concernThe SKILL.md instructs the agent to obtain or use NEMO_TOKEN, create sessions, upload user files, start SSE streams, and poll render endpoints — all expected for a cloud renderer. Concerns: (1) the doc asks the agent to 'auto-detect' platform from an install path (this may require reading agent install/config paths), and (2) it tells the agent how to generate an anonymous token if NEMO_TOKEN is absent despite NEMO_TOKEN being declared required in registry metadata. The instructions also require adding custom attribution headers; constructing them may require reading frontmatter values or the environment. These gaps create ambiguity about what filesystem/env access the agent will perform.
Install Mechanism: okInstruction-only skill (no install spec, no code files). This is low-risk from an install perspective because nothing is downloaded or written by a package installer.
Credentials: noteOnly NEMO_TOKEN is declared as required, which is proportional for a cloud API. However the runtime doc supports acquiring an anonymous token itself if NEMO_TOKEN is absent, meaning the declared 'required env var' is optional in practice — this mismatch should be clarified. The skill does not request unrelated credentials.
Persistence & Privilege: notealways is false and autonomous invocation is allowed (platform default). The skill instructs the agent to 'keep the returned session_id' but does not specify persistent storage location; that could be ephemeral memory or agent-managed storage. There's no explicit request to modify system-wide settings or other skills.