Skillv1.0.0

ClawScan security

Image To Video Canva · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 20, 2026, 3:49 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with an image→video cloud rendering service, but there are minor metadata inconsistencies and privacy implications you should review before use.
Guidance: This skill appears to do what it says: it uploads your images to a third‑party rendering service and returns a video. Before installing or using it, consider: (1) Source/trust — the package source and homepage are unknown; verify the service domain (mega-api-prod.nemovideo.ai) and its privacy/security posture. (2) Privacy — your images will be uploaded to that external service (including any metadata); do not send sensitive or private images unless you trust the service. (3) Credentials — you can provide your own NEMO_TOKEN or the skill will obtain an anonymous token for you; anonymous tokens may still allow uploads tied to a generated client ID. (4) Local config access — frontmatter references ~/.config/nemovideo/ and auto-detection of an install path for a header value; confirm whether the agent will read local files you care about. If anything is unclear, request the publisher/source, documentation, or a privacy policy before proceeding. If you proceed, prefer using temporary/limited tokens and avoid uploading sensitive content.

Review Dimensions

Purpose & Capability: okThe name/description (convert still images to short videos) match the required credential (NEMO_TOKEN) and the SKILL.md's API calls to a cloud rendering endpoint (mega-api-prod.nemovideo.ai). Requiring a service token is expected for this purpose.
Instruction Scope: noteInstructions explicitly direct the agent to create sessions, upload files (multipart or by URL), stream SSE messages, poll render status, and download results — all consistent with a cloud render pipeline. Two notes: (1) the SKILL.md instructs generating an anonymous token if no NEMO_TOKEN is present (it posts to the service to obtain one), which is reasonable but means the agent will call an external auth endpoint automatically; (2) the frontmatter includes a config path (~/.config/nemovideo/) and a requirement to auto-detect an install path for X-Skill-Platform headers — these imply the skill may read local installation/config paths if present, which is more than purely handling uploaded images.
Install Mechanism: okThis is instruction-only with no install spec or code files, so nothing is written to disk by the skill itself. That minimizes installation risk.
Credentials: noteOnly one credential is declared (NEMO_TOKEN), which is appropriate. The SKILL.md also describes creating an anonymous token when none is present. However, frontmatter metadata references a config path (~/.config/nemovideo/), which suggests the skill may look for or store local config/credentials; this was not reflected in the initial registry listing and should be clarified.
Persistence & Privilege: okalways:false and the skill does not request elevated system-wide privileges or modify other skills. It may create/use session tokens for the service, which is normal for this type of integration.