Back to skill
Skillv1.0.0
ClawScan security
Picture To Video Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 12:12 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions, required credential, and network endpoints align with a photo→video cloud-rendering service, but there are minor metadata inconsistencies and privacy/provenance considerations you should review before installing.
- Guidance
- This skill appears to do what it says: it uploads your images to nemovideo.ai and returns rendered MP4s. Before installing, consider: (1) provenance — the skill source/homepage is unknown, so you cannot audit the backend or operator; (2) privacy — your images will be sent to https://mega-api-prod.nemovideo.ai (verify you are comfortable with that service's privacy and retention policies, and avoid uploading sensitive images); (3) tokens/session storage — the skill will request or create a NEMO_TOKEN and store a session_id for renders (clarify where/how that is stored and for how long); (4) credits/cost — anonymous tokens are described as time-limited/credit-limited — check whether exports can incur charges; (5) metadata mismatch — ask the publisher to clarify the configPath declaration (~/.config/nemovideo/) vs. registry metadata. If any of these are unacceptable or unclear, do not install or only use with non-sensitive test images.
Review Dimensions
- Purpose & Capability
- noteThe name/description (convert photos to short videos) match the runtime instructions (upload images, call mega-api-prod.nemovideo.ai render endpoints). Requesting a single service token (NEMO_TOKEN) is proportionate. Minor inconsistency: the registry metadata in the package summary lists no required config paths, but the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/). That mismatch should be clarified (is the skill expected to read/write that local config?).
- Instruction Scope
- okSKILL.md explicitly directs the agent to upload user images and interact with the nemovideo.ai API (auth, upload, SSE chat, export polling). Those actions are within scope for a cloud-rendering photo→video skill. It does instruct automatic anonymous-token acquisition if NEMO_TOKEN is absent and to 'store session_id' for subsequent calls — storing session state is expected, but the document doesn't specify storage scope or retention. The instructions are specific about endpoints and headers and do not ask the agent to read unrelated files or secrets.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This is the lowest install risk (nothing is written to disk by an installer).
- Credentials
- noteOnly NEMO_TOKEN is declared as required/primary, which is appropriate for an API-backed renderer. The SKILL.md includes logic to generate an anonymous token if NEMO_TOKEN is not present (reasonable). The SKILL.md frontmatter also references a local config path (~/.config/nemovideo/), but the registry listing did not declare config paths — either the skill intends to persist session state locally (plausible) or the metadata is inconsistent. No unrelated credentials are requested.
- Persistence & Privilege
- okalways:false (default) and autonomous invocation enabled (normal). The skill will contact an external cloud service and may retain session IDs/tokens for the session; this is expected for its function. There is no request to modify other skills or global agent settings.