Skillv1.0.0

ClawScan security

Image To Video Examples · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 15, 2026, 4:56 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud-based image→video service: it needs one service token (NEMO_TOKEN), talks to nemovideo.ai endpoints, uploads user images, and manages sessions — nothing requested appears unrelated to its stated purpose.
Guidance: This skill is coherent for a cloud image→video service, but it will upload any images you provide to an external domain (mega-api-prod.nemovideo.ai) and may create an anonymous token automatically if you don't supply NEMO_TOKEN. Before installing/using it: (1) avoid uploading sensitive images unless you trust the service; (2) if you want control over billing/retention, supply your own NEMO_TOKEN from a trusted account; (3) check ~/.config/nemovideo/ after use for any cached tokens or session files; (4) review nemovideo.ai's privacy/terms if possible; and (5) be aware the agent will make outbound network requests and poll SSE endpoints to render and return files.

Review Dimensions

Purpose & Capability: okName/description match the actions in SKILL.md: connecting to a nemovideo.ai backend, uploading images, creating render jobs, polling SSE and returning video URLs. The declared primary env var (NEMO_TOKEN) and config path (~/.config/nemovideo/) are consistent with a cloud backend client.
Instruction Scope: noteInstructions remain focused on the image→video workflow (session creation, uploads, SSE, render/export). They also instruct the agent to generate an anonymous token if NEMO_TOKEN is missing and to read the install path to set an attribution header — these are within the service workflow but do cause the agent to probe local paths and automatically contact an external API when no token is provided.
Install Mechanism: okNo install spec or code files — instruction-only skill (lowest disk-write risk). All network activity is performed at runtime via described API endpoints rather than by installing binaries.
Credentials: noteOnly one declared credential (NEMO_TOKEN) and a single config path are requested, which fits the service. The skill will auto-obtain an anonymous NEMO_TOKEN if none is present, which is convenient but means the agent will automatically call an external auth endpoint and use that token for subsequent uploads and renders.
Persistence & Privilege: okalways:false and normal model invocation. The skill keeps a session_id for operations (ephemeral session behavior described); it does not request always-on presence or modify other skills. Autonomous network calls and file uploads are expected for this kind of cloud service.