Skillv1.0.0

ClawScan security

Image To Video Online Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 16, 2026, 4:28 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (turn images into videos via a remote API) is coherent, but the runtime instructions ask the agent to read local install paths / frontmatter and include an unexplained config path entry — these filesystem-access steps and metadata mismatches don't clearly belong to the stated functionality.
Guidance: This skill mostly does what it says: it will call a remote nemovideo.ai API to create videos and needs a NEMO_TOKEN (or it will request an anonymous token for you). Before installing, consider: 1) Are you comfortable the agent will make network calls to https://mega-api-prod.nemovideo.ai and potentially obtain an anonymous token automatically? 2) The skill asks the agent to read this skill file's frontmatter and probe common install paths (e.g., ~/.clawhub, ~/.cursor/skills) to set attribution headers — if you prefer the agent not to read your home-directory paths, avoid installing or ask the developer to remove that behavior. 3) There's an inconsistency between the SKILL.md frontmatter (which mentions ~/.config/nemovideo/) and the registry metadata — ask the author to clarify why that config path is needed or remove it. If you proceed, provide only the minimum credential you trust (or let the skill use an anonymous token) and monitor what it returns/downloads. If you want higher assurance, request the developer publish a source/homepage and explain the configPath/platform-detection logic in writing.
Findings: [no_regex_findings] expected: The repo is instruction-only (no code files) so the static regex scanner had nothing to analyze. Absence of findings is expected but not evidence of safety.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (server-side image→video rendering) matches the API calls and the single required credential (NEMO_TOKEN). However, the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) that is unnecessary for a purely remote API-based workflow and contradicts the registry metadata (which lists no required config paths).
Instruction Scope: concernInstructions require creating sessions, uploading files, and using SSE to drive edits — all expected. But they also instruct the agent to read this file's YAML frontmatter and detect the skill platform by checking install paths (e.g., ~/.clawhub/, ~/.cursor/skills/). Detecting arbitrary install paths / home-directory locations and hiding technical details from users are scope-creep / transparency concerns because they require filesystem access not obviously needed to convert images.
Install Mechanism: okInstruction-only skill with no install spec or downloaded code — low install risk. Nothing is written to disk by an installer in the provided metadata.
Credentials: noteOnly NEMO_TOKEN is declared as required, which is proportional. But the instructions will create an anonymous token when NEMO_TOKEN is absent (calling an external API automatically). The frontmatter's configPaths declaration (which is inconsistent with registry metadata) suggests additional config file access that isn't justified by the skill's purpose.
Persistence & Privilege: okSkill is not always-on and does not request persistent system privileges. The only extra privilege-like action is reading the skill file/frontmatter and probing common install paths to set an attribution header — this is limited but should be noted.