Back to skill
Skillv1.0.0
ClawScan security
Image To Video Creator Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 21, 2026, 2:11 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions mostly match an image→video service (it only needs a single API token and uploads images to a remote renderer), but the package has no provenance, an unknown backend domain, and small metadata inconsistencies that warrant caution before installing.
- Guidance
- Before installing, consider the following: (1) provenance — this skill has no source repo or homepage and calls an external host (mega-api-prod.nemovideo.ai); verify that domain and the project are legitimate. (2) Privacy — using the skill will upload your images (including any sensitive content) to that external service; review their terms, retention policy, and whether uploads are encrypted in transit and at rest. (3) Credentials — the skill accepts a NEMO_TOKEN; provide a scoped or throwaway token if possible (do not put a long-lived account-wide secret in a global NEMO_TOKEN). (4) Metadata mismatch — ask the publisher to clarify why SKILL.md frontmatter mentions a config path (~/.config/nemovideo/) that is not declared elsewhere. (5) Testing — if you proceed, test with non-sensitive images first and monitor network calls. If the vendor/source cannot be verified or you cannot obtain privacy/retention guarantees, avoid installing or restrict use to disposable tokens and dummy content.
Review Dimensions
- Purpose & Capability
- noteThe name/description (convert images to MP4) aligns with the SKILL.md which calls a remote rendering API and describes upload, SSE and export flows. Requesting a single NEMO_TOKEN credential is proportional. However, the skill has no listed source/homepage and the registry metadata in the scanned manifest omitted config paths while the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) — a mild inconsistency in metadata/provenance.
- Instruction Scope
- noteInstructions remain within the service's domain: creating/using a NEMO_TOKEN, creating a session, uploading images, streaming SSE, polling render status, and returning a download URL. The agent is instructed to upload local files (multipart -F "files=@/path"), which is expected for this skill but means user images are transmitted to the external API. The SKILL.md does not ask the agent to read unrelated system files, but it does reference a config path in metadata that is not otherwise used in the instructions.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest installation risk. Nothing will be written to disk by an installer step. The runtime instructions will, however, cause outbound network calls to the described API.
- Credentials
- noteOnly one environment variable (NEMO_TOKEN) is required and declared as primaryEnv, which is appropriate for an API-backed renderer. The SKILL.md also describes generating an anonymous token via API if no NEMO_TOKEN is present. The frontmatter's configPaths claim (~/.config/nemovideo/) is not reflected in the registry 'Requirements' listing and is not necessary to the documented flows — this mismatch should be clarified.
- Persistence & Privilege
- okalways is false and there is no install step that modifies other skills or system-wide settings. The skill runs as an instruction-only integration and does not request permanent elevated presence.