Back to skill
Skillv1.0.0
ClawScan security
Image To Video Editor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 12, 2026, 9:07 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's described purpose (convert images to short videos) matches its runtime instructions, but there are small inconsistencies and privacy/clarity concerns you should understand before using it.
- Guidance
- This skill uploads your images and edit commands to a third‑party API (mega-api-prod.nemovideo.ai). Before using it: 1) Confirm you trust that domain and understand their privacy/data retention policy — your images will leave your device. 2) Use a dedicated or disposable NEMO_TOKEN (don’t reuse high‑privilege tokens). 3) Be aware the skill may create anonymous tokens automatically; these grant the service access for the session. 4) Note the SKILL.md has minor inconsistencies (missing explicit attribution headers, config path mention) — ask the author for clarification if you rely on strict provenance. If any of that is unacceptable (sensitive images, regulatory constraints), do not install/use the skill.
- Findings
[NO_REGEX_FINDINGS] expected: The static scanner found no code (this is an instruction-only skill). That is expected but provides limited assurance — there is no packaged code to review, so the runtime instructions are the primary security surface.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the skill routes image uploads and render/export calls to a cloud video API and requires a NEMO_TOKEN. Requesting a single API token for a remote render service is proportionate to the stated purpose. Minor inconsistency: the SKILL.md frontmatter references a config path (~/.config/nemovideo/) while the registry metadata listed no required config paths.
- Instruction Scope
- noteInstructions explicitly send user images and edit commands to a third‑party API (expected for a cloud render service). They also instruct the agent to generate anonymous tokens and save session IDs. A couple of clarity issues: the SKILL.md refers to “the three attribution headers above” without listing them explicitly, and it asks the agent to detect install path for X-Skill-Platform — both are operational but vague. There is no instruction to read unrelated secrets or system files beyond the SKILL.md/frontmatter and user-provided images.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself — lowest install risk.
- Credentials
- noteOnly a single credential (NEMO_TOKEN) is declared and used, which is appropriate for a hosted API. The skill also supports creating a short-lived anonymous token via the API if NEMO_TOKEN is absent. Verify that NEMO_TOKEN is only used for the intended service and not a re-used high‑privilege credential. The frontmatter's config path mention is inconsistent with registry metadata.
- Persistence & Privilege
- okalways:false and normal model invocation are used. The skill does not request permanent system presence or to modify other skills' configs in its instructions.