Back to skill
Skillv1.0.0
ClawScan security
Ai Image To Video Discord · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 8:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose (cloud image→video rendering) and only asks for a single service token and standard API interactions, but there are a few small metadata/instruction notes you should be aware of before installing.
- Guidance
- This skill will upload your images to an external service (mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN (or will request a short-lived anonymous token). Before installing or using it, consider: 1) Do you trust the remote service to process and store the images you send? 2) Use a dedicated or limited-scope token (or the anonymous token option) if you are concerned about credential exposure, and revoke it when finished. 3) Avoid sending sensitive or private images to the service. 4) Be aware of a minor metadata mismatch: the skill metadata mentions a config path (~/.config/nemovideo/) even though registry metadata did not — confirm whether local config will be read/written if that matters to you. If you need stronger assurance, ask the skill author for a privacy/security statement or inspect network logs to confirm only the documented endpoints/headers are used.
Review Dimensions
- Purpose & Capability
- noteName/description align with contacting a remote video-rendering service. Requesting a NEMO_TOKEN and session management is coherent for a cloud render pipeline. Minor inconsistency: the SKILL.md frontmatter lists a configPaths value (~/.config/nemovideo/) even though the registry metadata reported no required config paths; the skill doesn't clearly say it will read or write that path, but the presence of it in metadata is unexpected.
- Instruction Scope
- noteRuntime instructions are focused on the service API: obtaining/using a NEMO_TOKEN (or obtaining an anonymous token), creating a session, uploading media, using SSE, polling export status, and returning download URLs. The skill explicitly tells the agent to save the session_id and to avoid printing tokens/raw JSON. It does not instruct reading unrelated system files, but it requires adding attribution headers and auto-detecting platform from install path (which may be brittle in some environments). Overall the instructions stay within the stated scope.
- Install Mechanism
- okInstruction-only skill with no install spec or code to download or execute — lowest-risk install mechanism.
- Credentials
- noteOnly a single credential (NEMO_TOKEN) is required which is proportional to a cloud rendering service. The skill can also obtain an anonymous token if no token is provided. The unexpected configPaths entry in the frontmatter raises a minor question about whether it will read/write ~/.config/nemovideo/, though the instructions do not explicitly direct access to that path.
- Persistence & Privilege
- okalways:false and no install means the skill does not request elevated or persistent platform privileges. It does instruct the agent to persist session_id (session state) which is normal for a service-backed workflow.