Skillv1.0.0

ClawScan security

Ai Image To Video Invideo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 20, 2026, 12:10 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill’s declared purpose (convert images to videos) matches what its instructions do: it requires a NEMO_TOKEN and calls nemovideo.ai APIs to upload images, create sessions, and return rendered videos — there are no unrelated credentials or risky install steps.
Guidance: This skill appears to do what it says: it will upload your images and use nemovideo.ai to render videos, so only install it if you trust that external service. Key things to consider before installing: 1) Privacy: uploaded images are sent to mega-api-prod.nemovideo.ai — review that service's privacy/billing policies if your images are sensitive. 2) Credentials: you can supply your NEMO_TOKEN or the skill will request an anonymous token on your behalf (100 free credits, 7-day expiry) — be aware the skill may create/use tokens automatically. 3) Local reads: the skill reads its own frontmatter and inspects install paths to populate attribution headers — this is limited access but worth noting. 4) Ask the publisher to clarify the small metadata inconsistency (SKILL.md frontmatter lists a config path ~/.config/nemovideo/ while the registry metadata listed none). If any of these behaviors are unacceptable, do not install.

Purpose & Capability: okName/description match the runtime instructions: the SKILL.md describes uploading images, creating sessions, SSE generation, export, and credit checks against mega-api-prod.nemovideo.ai. The only declared credential (NEMO_TOKEN) is directly relevant to the service.
Instruction Scope: noteInstructions are focused on the video-creation API endpoints and error handling. They also instruct the agent to read this skill file's YAML frontmatter at runtime and to detect the install path (~/.clawhub, ~/.cursor/skills/) to populate X-Skill-Platform; reading the skill's own frontmatter is reasonable, but runtime filesystem/installation-path inspection is broader than strictly required for an API client and should be noted.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This is lowest-risk from an installation perspective (nothing is downloaded or written to disk by an installer).
Credentials: okOnly one environment credential is required (NEMO_TOKEN) and it is the primary credential for the described cloud service. The SKILL.md also describes obtaining an anonymous token if none is provided; no unrelated secrets or multi-service credentials are requested.
Persistence & Privilege: okalways is false and the skill does not request elevated platform-wide privileges. It does store session_id and tokens for API calls (normal for a client), and does not modify other skills or system-wide settings.