Skillv1.0.0

ClawScan security

Ai Image To Video Generate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 7:08 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared requirements and runtime instructions are coherent with an image→video cloud-rendering service; nothing required is disproportionate, though there are a few minor metadata mismatches to be aware of.
Guidance: This skill appears to do what it says: it connects to the Nemovideo cloud API, uploads images, and returns rendered video files. Before installing, consider: (1) You will be sending images to https://mega-api-prod.nemovideo.ai — do not upload private or sensitive images you wouldn't want processed by a third party. (2) The skill uses (or will obtain) an API token (NEMO_TOKEN); if you provide your own token, ensure it is scoped appropriately and not a high-privilege secret used elsewhere. (3) SKILL.md mentions reading the skill file and detecting install paths to populate attribution headers and also lists a config path (~/.config/nemovideo/) in its frontmatter — this metadata mismatch is minor but means the skill may look for that config directory. (4) No installers or external downloads are performed by the skill (instruction-only), which reduces disk-write risk. If you need stronger assurance: verify the domain and service (nemovideo.ai) independently, and avoid supplying any tokens that grant broad unrelated privileges.

Review Dimensions

Purpose & Capability: noteThe skill's name/description match the instructions: it uploads images, creates a session, streams edits, and requests exports from a cloud rendering backend. The single required environment variable (NEMO_TOKEN) is appropriate for an API-backed service. Minor inconsistency: the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths.
Instruction Scope: noteSKILL.md stays focused on connecting to the Nemovideo API, uploading files, handling SSE streams, polling exports, and mapping GUI actions to API calls. It instructs the agent to read the skill's YAML frontmatter and detect install path (~/.clawhub, ~/.cursor/skills/) to populate X-Skill-Platform—this requires reading the skill file and inspecting install paths but is limited in scope and consistent with adding attribution headers. It does not instruct the agent to read unrelated system files or other credentials.
Install Mechanism: okNo install spec or code files — instruction-only. Nothing is downloaded or written to disk by an install step, which minimizes risk.
Credentials: noteOnly NEMO_TOKEN is required and is the logical primary credential for a cloud rendering API. The SKILL.md also describes generating an anonymous token by POSTing to the service when no NEMO_TOKEN is present (ephemeral token, 100 free credits, 7-day expiry), which is reasonable but means the agent will obtain and use an API token at runtime. The presence of a configPaths entry in the SKILL.md metadata (not reflected in registry metadata) is an unexplained discrepancy — it implies possible read access to ~/.config/nemovideo/, which is not declared elsewhere.
Persistence & Privilege: okalways:false and normal autonomous invocation are used. The skill stores transient session_id and tokens for API interactions (expected). It does not request persistent or cross-skill modifications or elevated system privileges.