Skillv1.0.0

ClawScan security

Image To Video Drone Shot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 6:00 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally coherent for a cloud-based image→video service: it only needs a single service token, uses a documented API flow, and has no install or extra credential requests — but there are a couple of small metadata inconsistencies you should be aware of.
Guidance: This skill appears to do what it says: it sends images to a cloud rendering API and returns a video. Before installing/using: 1) Confirm you trust the domain (https://mega-api-prod.nemovideo.ai) and review its privacy/TOS — your images are uploaded to that external service. 2) Use a service-specific or limited NEMO_TOKEN (don't reuse general cloud or admin tokens). 3) Note the small metadata mismatch: SKILL.md references ~/.config/nemovideo/ while registry metadata earlier lists no config paths — ask the author to clarify if the skill will read or write that path. 4) Be aware the agent may probe common install paths to set an attribution header (X-Skill-Platform); this can reveal which client you use but is not a credential leak. 5) The skill will generate anonymous tokens if no NEMO_TOKEN is present — anonymous tokens have limited lifetime; if you need export beyond demo limits, use a registered account and scoped credentials. If you are comfortable uploading your images to the described service and providing a scoped token, the skill is consistent with its stated purpose.

Review Dimensions

Purpose & Capability: okThe skill's name and description match the actions in SKILL.md: uploading images, creating a session, queuing render jobs, and returning a download URL. Requesting a NEMO_TOKEN (API token) is proportional to a cloud render service. One minor inconsistency: registry metadata shown above lists no required config paths, but the SKILL.md frontmatter metadata mentions a config path (~/.config/nemovideo/). This mismatch is likely harmless but should be clarified.
Instruction Scope: noteThe runtime instructions are focused on service API calls (anonymous-token, session creation, upload, SSE for streaming, export polling). They instruct the agent to read the NEMO_TOKEN env var (declared) or perform an anonymous token exchange, and to accept file uploads for sending to the remote API. The doc also instructs detecting install path to populate X-Skill-Platform header — that requires checking common filesystem paths (~/.clawhub, ~/.cursor/skills) which may reveal presence of certain clients; this is informational but not excessive. No instructions request unrelated system credentials or arbitrary file reads beyond files the user supplies.
Install Mechanism: okNo install specification or code files — instruction-only. That is the lowest-risk install pattern: nothing is downloaded or written by the skill itself.
Credentials: noteThe skill requires a single service credential (NEMO_TOKEN), which is appropriate for an API-based renderer. The SKILL.md also describes generating an anonymous token if none is set. Aside from the earlier config path metadata mismatch, there are no other unrelated environment variables or secret requests. Recommend using a scoped/limited token for this service rather than reusing any broad-purpose credentials.
Persistence & Privilege: okThe skill is not always-on and is user-invocable. It does instruct storing session_id and using returned tokens for the session (normal for API sessions) but does not request persistent system-level privileges or to modify other skills or system-wide settings.