Back to skill
Skillv1.0.0
ClawScan security
Image To Video Honor 400 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 16, 2026, 8:28 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's functionality (cloud image→video conversion) matches the single credential it requests, but there are metadata inconsistencies, an unknown origin, and the runtime instructions call out-of-band network activity (anonymous token issuance, session persistence, and file uploads) that users should explicitly consent to and understand before installing.
- Guidance
- Before installing: (1) Understand that your images and metadata will be uploaded to mega-api-prod.nemovideo.ai for processing — verify you are comfortable with that third party handling your media. (2) Ask the publisher to explain where the anonymous token and session_id are stored (disk path, lifetime, and whether tokens persist beyond 7 days). (3) Resolve the metadata inconsistency about ~/.config/nemovideo/ so you know whether files/credentials will be written to your home directory. (4) Prefer an explicit opt-in prompt before the skill automatically requests a token or uploads files. (5) Because the skill's source/homepage is unknown, exercise extra caution: if privacy or provenance matters, only proceed after getting a verifiable publisher/endpoint and privacy terms.
Review Dimensions
- Purpose & Capability
- noteThe skill name/description (image→video conversion) aligns with the declared primary credential (NEMO_TOKEN) and the runtime instructions for a cloud render pipeline. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata shows no required config paths — an internal inconsistency that should be clarified.
- Instruction Scope
- concernThe SKILL.md instructs the agent to automatically contact an external backend (https://mega-api-prod.nemovideo.ai) on first use, obtain an anonymous token if NEMO_TOKEN is not present, create sessions, upload user files, and poll render status. This is coherent with the stated purpose but constitutes automatic network activity and third‑party handling of user images and metadata; there is no explicit user-consent step described. The file upload and token issuance behavior should be made explicit to users.
- Install Mechanism
- okInstruction-only skill with no install spec or downloaded code, which minimizes on-disk risk. No installers, package pulls, or archive extraction are present.
- Credentials
- noteOnly NEMO_TOKEN is required, which is proportionate to a cloud API integration. The SKILL.md also instructs generating and using an anonymous token when none is set and storing a session_id; the exact storage location and lifecycle for the token/session are not specified. The frontmatter's mention of a config path (~/.config/nemovideo/) is not reflected in the registry metadata — clarify whether the skill will write credentials/config to disk.
- Persistence & Privilege
- noteThe skill does not request 'always: true' and is user-invocable only. It does, however, describe persisting session_id and using tokens that can remain valid for days, and it will autonomously perform network calls on first use if no token is present. That autonomous network activity increases privacy exposure but is not an elevated platform privilege by itself.