Skillv1.0.0

ClawScan security

Ai Image To Video Kling · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 4:25 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared requirements and runtime instructions align with an image→video cloud service; nothing obvious is asking for unrelated credentials or installing code, but there are small metadata/instruction mismatches and it will upload user media to an external API you should trust.
Guidance: This skill authenticates to an external service (mega-api-prod.nemovideo.ai) and uploads your images/audio to generate videos. It requests NEMO_TOKEN but can obtain a 7‑day anonymous token automatically; tokens and job session IDs will be used as Bearer auth and sent on every request. Consider: only use with content you consent to upload; prefer the anonymous token or a dedicated service account rather than a personal long-lived credential; verify the service's privacy/terms (no homepage provided here); be aware the skill may read its own SKILL.md and detect install paths to set attribution headers. If you need stronger assurances, ask the publisher for a homepage/terms or test with non-sensitive images and a throwaway token first.

Review Dimensions

Purpose & Capability: okName/description (animate images to short videos) map to the declared primary credential (NEMO_TOKEN) and the API endpoints in SKILL.md. Required binaries are none and the endpoints correspond to a cloud rendering service, so the requested capability is proportionate to the purpose.
Instruction Scope: noteInstructions are focused on session creation, SSE streaming, uploads, and exports to the nemovideo.ai backend. They also instruct the agent to read this file's YAML frontmatter for attribution and to detect install path (e.g., ~/.clawhub/ or ~/.cursor/skills/) to set an X-Skill-Platform header — these filesystem checks are minor but outside strictly necessary image-processing logic.
Install Mechanism: okNo install spec or code files are present (instruction-only). Nothing is downloaded or written to disk by the skill itself per SKILL.md.
Credentials: noteThe only required environment variable is NEMO_TOKEN (primary credential) which matches the service. The SKILL.md also describes an anonymous-token fallback flow (POST to /api/auth/anonymous-token) that will obtain a short-lived token if none is present; this is reasonable but slightly inconsistent with declaring NEMO_TOKEN as required. Metadata mentions a config path (~/.config/nemovideo/) in the frontmatter, while registry metadata lists none — a minor mismatch.
Persistence & Privilege: okalways:false and normal autonomous invocation. The skill does not request elevated or persistent system privileges, does not install daemons, nor does it claim to modify other skills or system-wide settings.