Skillv1.0.0

ClawScan security

Image To Video Editor Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 4:34 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill behaves like a cloud-based image→video service (which matches its description) but its runtime instructions perform automatic token generation, require uploading user files to an external domain, and reference storing session/token state and auto-detecting install paths — there are small metadata mismatches and privacy/handling concerns you should understand before installing.
Guidance: This skill will send your images and generated anonymous tokens to an external service (mega-api-prod.nemovideo.ai) and may store session/token data locally. Before installing: 1) Confirm you are comfortable uploading your images to that external domain and check the vendor/service reputation and privacy policy. 2) Prefer providing your own NEMO_TOKEN if you want control over the credential lifecycle; if you rely on the automatic anonymous token, realize it grants the skill network access and is valid for a limited time. 3) Verify what (if anything) is written to ~/.config/nemovideo/ and whether you want that stored on your device. 4) Be aware the skill instructs reading file paths for uploads and auto-detecting install paths (which may access filesystem metadata). If you need stronger guarantees, do not install or only use with non-sensitive images and with explicit review of network traffic and stored config files.

Review Dimensions

Purpose & Capability: noteThe declared primary credential (NEMO_TOKEN) and the described API usage align with a cloud-based image→video editor. However the SKILL.md frontmatter references a config path (~/.config/nemovideo/) and auto-detection of install path that the registry metadata did not list; storing session/token files locally is plausible but not justified explicitly in the registry, creating a mild incoherence.
Instruction Scope: concernRuntime instructions tell the agent to: check environment for NEMO_TOKEN, generate an anonymous token by POSTing to an external endpoint if missing, create a session and persist session_id, and upload user files (via file paths or URLs) to https://mega-api-prod.nemovideo.ai. These steps require network calls, file reads (uploads), and storing tokens/session state. The instructions also ask to auto-detect an install path for X-Skill-Platform and to avoid displaying raw API responses/tokens to the user — all of which broaden the agent's runtime scope beyond a simple local-only helper and raise privacy/visibility concerns.
Install Mechanism: okThis is an instruction-only skill with no install spec or code to write to disk, which minimizes installation risk.
Credentials: noteOnly a single credential (NEMO_TOKEN) is declared, which is proportionate for a cloud API. However, the skill will auto-obtain an anonymous token if none is provided and appears to store session state (and frontmatter references a config directory). That behavior means credentials/tokens and your uploaded media will be sent to and persisted by a third-party service — acceptable for this use case but worth explicit user consent and scrutiny.
Persistence & Privilege: okThe skill is not always-enabled and requests no special platform privileges. It does instruct storing session_id/token (implied local persistence) but does not request to modify other skills or system-wide settings.