Skillv1.0.0

ClawScan security

Ai Animation Photo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 4:58 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared requirements and runtime instructions are coherent with an online photo-to-video rendering service; nothing requested appears unrelated to its stated purpose.
Guidance: This skill uploads user photos and any provided audio to a third‑party cloud service (mega-api-prod.nemovideo.ai) for rendering — that is the intended behavior. Before installing, consider: 1) privacy: do not send sensitive or private images unless you trust the service and its privacy terms; 2) credential hygiene: only set NEMO_TOKEN for this service and avoid reusing high-privilege credentials; 3) token lifetime: the skill will accept a provided NEMO_TOKEN or obtain an anonymous token (100 credits, 7-day expiry) by calling the service; if you prefer explicit control, supply your own token rather than letting the skill request one automatically; 4) filesystem access: the skill may check its install path or save session state under ~/.config/nemovideo/ for attribution and session persistence; ensure you are comfortable with that location being used; 5) network trust: the skill talks to a single external domain — verify you recognize and trust that endpoint. Overall the skill appears internally consistent with its purpose, but it necessarily transmits user media to a remote renderer, so treat uploaded content and tokens accordingly.

Review Dimensions

Purpose & Capability: okName/description describe a cloud-based photo animation service and the skill only requires a single service credential (NEMO_TOKEN) plus an optional local config path; those map to the documented API endpoints and session flow.
Instruction Scope: noteThe SKILL.md instructs the agent to: use NEMO_TOKEN if present or obtain an anonymous token from the service, create sessions, upload user files, stream SSE responses, poll state, and include attribution headers. All of these are consistent with driving a remote render pipeline. Note: the skill expects to read its own frontmatter and detect install path (to set X-Skill-Platform), which implies reading agent installation paths — this is reasonable for attribution but does require filesystem access to determine the platform.
Install Mechanism: okNo install spec or code is provided (instruction-only), so nothing is downloaded or written by an installer — low install risk.
Credentials: okOnly NEMO_TOKEN is required (declared as primaryEnv). The skill also documents generating an anonymous token when NEMO_TOKEN is absent. The declared config path (~/.config/nemovideo/) is consistent with storing session/credentials for this service. No unrelated credentials or broad secret access are requested.
Persistence & Privilege: okalways is false; the skill will create and use sessions with the remote service and may persist session state under its own config path — this is proportional to its function and does not request elevated system privileges or modify other skills.