Back to skill
Skillv1.0.0
ClawScan security
Image To Video Imagemover · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 15, 2026, 5:09 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill mostly matches its stated purpose (convert images to video via a remote API) but contains a few inconsistencies and minor scope-creep (local path checks and an undeclared config path) that warrant caution before installing.
- Guidance
- This skill appears to implement a cloud-based image→video workflow and only needs a NEMO_TOKEN to operate, which is reasonable. Before installing: 1) Confirm the NEMO API domain (https://mega-api-prod.nemovideo.ai) is trustworthy and that you accept their privacy/retention policy — images you upload will be sent to that service. 2) Ask the skill author to explain the discrepancy between registry metadata and the SKILL.md frontmatter (the latter mentions ~/.config/nemovideo/). Clarify whether the skill will read that directory or other local files. 3) The skill instructs detecting install paths (~/.clawhub, ~/.cursor/skills); if you don't want the agent to probe your home directory, decline or sandbox the skill. 4) Use an ephemeral or limited-scope token if possible, test with non-sensitive images first, and rotate/revoke the token after use if you have any doubts.
Review Dimensions
- Purpose & Capability
- noteThe name/description, declared primary credential (NEMO_TOKEN), and all API endpoints in SKILL.md align with an image→video cloud-rendering service. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) and instructions to detect install paths (~/.clawhub, ~/.cursor/skills) while the registry metadata lists no required config paths — this mismatch should be clarified by the author.
- Instruction Scope
- noteRuntime instructions are detailed and largely within scope: create/obtain a NEMO_TOKEN, create a session, upload image files (multipart or by URL), stream SSEs, poll render status, and return a download URL. A notable instruction asks the agent to detect an install path on the host (checking ~/, ~/.clawhub, ~/.cursor/skills) to set an attribution header; that requires reading the local filesystem (home directory). Reading these specific locations is not obviously necessary for video rendering and expands the skill's runtime scope.
- Install Mechanism
- okInstruction-only (no install spec, no code files). This minimizes install-time risk because nothing is written to disk by an installer step.
- Credentials
- noteOnly a single credential (NEMO_TOKEN) is required, which is proportional to a remote API service. However, the frontmatter declares a config path (~/.config/nemovideo/) which was not listed in the registry metadata — if the skill reads that directory it might access local tokens/configs, so confirm whether that path is actually needed.
- Persistence & Privilege
- okalways is false and the skill does not request persistent platform-level privileges. It does instruct the agent to save session_id and use tokens for API calls (normal for a cloud render workflow) but does not request to modify other skills or system-wide settings.