Skillv1.0.0

ClawScan security

Ai Image To Video K · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 20, 2026, 4:39 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with an image->video cloud service: it reasonably needs an API token, uploads images to a remote rendering API, and has no unexplained extra privileges.
Guidance: This skill will upload whatever images (and any metadata) you provide to the external service at mega-api-prod.nemovideo.ai and uses an API token (NEMO_TOKEN) if present; if you don't provide one it will request an anonymous token on your behalf. Before installing, confirm you trust nemovideo.ai (review their privacy and retention policy), avoid uploading sensitive images, and be aware the skill may read its own frontmatter and check common install paths to set attribution headers. If you prefer not to expose an existing NEMO_TOKEN in your environment, do not set that variable or use an isolated environment for testing.
Findings: [no_regex_findings] expected: The static regex scanner had no code to analyze (instruction-only SKILL.md). Network calls and session creation are expressed in prose rather than code, so the scanner returned no matches; this is expected.

Purpose & Capability: okName/description match the declared requirements: a single primary credential (NEMO_TOKEN) and an API hosted at nemovideo.ai are appropriate for a cloud image-to-video service. Declared config path (~/.config/nemovideo/) fits the purpose.
Instruction Scope: noteSKILL.md instructs the agent to use NEMO_TOKEN if present or request an anonymous token (POST to /api/auth/anonymous-token), create sessions, upload files, stream SSE, and poll renders — all expected for this service. It also directs the agent to read this skill's YAML frontmatter and check install paths (~/.clawhub/, ~/.cursor/skills/) to set an attribution header; reading those paths is minor but is extra filesystem access beyond strictly uploading images.
Install Mechanism: okInstruction-only skill with no install spec or external downloads; nothing is written to disk by an installer step in the skill bundle.
Credentials: okOnly one environment variable (NEMO_TOKEN) is required and it is directly tied to the documented API. The skill will also create an anonymous token if none is provided, which is consistent with its described behavior.
Persistence & Privilege: okalways:false and normal autonomous invocation. The skill does not request persistent system-wide changes or other skills' credentials.