Back to skill
Skillv1.0.0
ClawScan security
Ai Image In Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 12:51 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions generally match its stated purpose (cloud video compositing) but there are a few minor inconsistencies you should confirm before installing.
- Guidance
- This skill appears to do what it says: it calls a nemovideo.ai backend to composite images into videos and needs one token (NEMO_TOKEN). Before installing: confirm what NEMO_TOKEN grants (least privilege), verify you trust https://mega-api-prod.nemovideo.ai, and be aware the skill expects to upload files (it may request local file paths or use files you attach). Also ask the publisher to clarify the metadata/config-path mismatch (~/.config/nemovideo/) so you know whether the skill will attempt to read any config files on your machine.
Review Dimensions
- Purpose & Capability
- okName/description (insert images into videos) aligns with the single credential requested (NEMO_TOKEN) and the documented API endpoints at mega-api-prod.nemovideo.ai. No unrelated credentials or binaries are requested.
- Instruction Scope
- noteSKILL.md contains clear API workflows (anonymous-token, create session, upload, SSE streaming, render/poll). It instructs uploads via multipart with file paths (e.g., -F "files=@/path") which implies the agent may need access to user-supplied files or local filesystem paths — this is expected for a file-uploading video service but is the primary privacy surface to be aware of.
- Install Mechanism
- okNo install spec or external downloads; instruction-only skill means nothing is written to disk by the skill itself during install.
- Credentials
- noteOnly NEMO_TOKEN is declared as required (primaryEnv). That is proportionate for a cloud API client. However SKILL.md metadata also lists a configPaths entry (~/.config/nemovideo/) even though the registry summary listed no required config paths — this mismatch should be clarified (is the skill expected to read that config directory?).
- Persistence & Privilege
- okalways is false and there is no request to modify other skills or system-wide settings. The skill uses session tokens for transient jobs; no elevated permanence is requested.