Back to skill
Skillv1.0.0
ClawScan security
Free Ai Image To Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 8, 2026, 6:04 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared need for a single NEMO_TOKEN and its API usage align with an image→video service, but small inconsistencies in the metadata and instructions (and filesystem checks) warrant caution before installing or providing credentials.
- Guidance
- This skill appears to actually implement an image→video API and only asks for a single NEMO_TOKEN, which is reasonable for this purpose. Before installing or providing credentials: (1) confirm the API domain (mega-api-prod.nemovideo.ai) is the legitimate service you expect; (2) if you don't trust that service, don't set NEMO_TOKEN in your environment — the skill can request an anonymous token, but that still makes network calls; (3) note the skill may check home-directory paths to detect platform and may access files you instruct it to upload; only upload images you control and avoid pointing it to sensitive local paths; (4) ask the publisher to resolve the metadata inconsistency about ~/.config/nemovideo/ so you know whether local config files will be accessed. If you need higher assurance, request source code or an official homepage before proceeding.
Review Dimensions
- Purpose & Capability
- noteThe skill's name and description match the actions described in SKILL.md (session creation, uploads, SSE generation, rendering). Requesting a NEMO_TOKEN is appropriate for a hosted video generation API. However, the SKILL.md frontmatter includes a required configPath (~/.config/nemovideo/) while the registry metadata shown to the scanner lists no required config paths — this mismatch should be reconciled.
- Instruction Scope
- noteRuntime instructions stay largely within the stated purpose (create session, upload user image files or URLs, stream generation, poll for render). The skill does instruct the agent to read or check filesystem paths to detect install platform (e.g., ~/.clawhub/, ~/.cursor/skills/) and to reference this file's YAML frontmatter for attribution; these filesystem checks are not strictly necessary for the core feature and expand the scope of what the agent will inspect.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only). That minimizes disk-write/installation risk.
- Credentials
- noteThe single required environment variable NEMO_TOKEN is proportional to a networked API service. The metadata also declares a config path (~/.config/nemovideo/) which isn't consistently reflected in the registry summary — this mismatch is unusual and worth clarifying before granting filesystem/config access.
- Persistence & Privilege
- okalways:false and no persistence/install steps are present. The skill does not request elevated/system-wide privileges or to modify other skills.