Skillv1.0.0

ClawScan security

Free Video Generator By Image · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 5:27 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with a cloud video-generation service: it only needs a single service token (NEMO_TOKEN), makes API calls to a named backend, and has no install steps or unrelated credential requests — but the backend and publisher are unknown so you should review where your images and token are sent before using it with sensitive data.
Guidance: This skill appears internally consistent for a cloud video-rendering service, but it uploads images and uses a token with the named backend (https://mega-api-prod.nemovideo.ai). Before using it: 1) Do not set NEMO_TOKEN to any high-privilege or unrelated credential — create or use a token scoped to this service. 2) Avoid uploading sensitive or private images unless you trust nemovideo.ai and its privacy/retention policy. 3) If concerned, use the anonymous token path (the SKILL.md describes how one is obtained) instead of providing a persistent token. 4) Be aware the agent may attempt to inspect its install environment to set attribution headers — if you want to avoid any filesystem checks, ask the skill owner for a variant that doesn't derive X-Skill-Platform from install paths. 5) Because the publisher and homepage are unknown and there is no packaged code to audit, treat this skill as a third-party cloud service: verify the service's reputation and privacy policy or test with non-sensitive example images first.

Review Dimensions

Purpose & Capability: okThe skill is a cloud video generator and declares a single service credential (NEMO_TOKEN) and a nemovideo config path; both align with a cloud API that performs rendering. No unrelated credentials or binaries are requested.
Instruction Scope: noteThe SKILL.md gives explicit API workflows (session creation, upload, SSE, export) and only references the NEMO_TOKEN and session_id for sensitive material. It also instructs deriving attribution headers (X-Skill-Platform) by detecting install path — this could cause the agent to inspect its environment/filesystem to determine platform, which is not strictly necessary for core functionality but is low-risk. All other actions (uploading images, posting to the nemovideo endpoints) are coherent with the stated purpose.
Install Mechanism: okInstruction-only skill with no install spec or downloaded code; nothing is written to disk by an installer. This is the lowest-risk install pattern.
Credentials: okOnly one required environment variable (NEMO_TOKEN) is declared and used for API authorization. The token request is proportional to the service. The metadata references a config path (~/.config/nemovideo/) but no other secrets or unrelated environment variables are requested.
Persistence & Privilege: okalways is false and there is no install-time modification of other skills or system-wide settings. The skill does not request permanent platform privileges beyond normal runtime network calls.