Skillv1.0.0

ClawScan security

Image To Video Free Ai Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 12, 2026, 3:49 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions and required token are consistent with an image→video cloud service, but there are small metadata inconsistencies and missing provenance (no homepage/source) that warrant caution before installing.
Guidance: This skill largely behaves like a thin client for a single cloud API and only asks for one token (NEMO_TOKEN). However: (1) the package has no homepage or source listed and the publisher identity is opaque — that reduces accountability; (2) the SKILL.md frontmatter mentions a local config path (~/.config/nemovideo/) that the registry did not list, which is an unexplained inconsistency; (3) the skill can generate an anonymous short-lived token for you if you don't supply one — prefer that over providing a long-lived credential; (4) confirm you trust the domain (mega-api-prod.nemovideo.ai) before uploading proprietary images and check the service's data retention/privacy policies; (5) if you proceed, prefer using temporary/limited-scope tokens, avoid supplying other unrelated credentials, and monitor for unexpected network activity. If you want higher assurance, ask the maintainer for a homepage, documentation, or repository link and clarification about the config path usage.

Review Dimensions

Purpose & Capability: noteThe skill claims to convert images into videos and only requests a single service token (NEMO_TOKEN), which matches that purpose. However the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata listed no required config paths — this mismatch is unexplained and could indicate stale or inconsistent metadata.
Instruction Scope: okRuntime instructions are narrowly scoped to interacting with the nemo-video API (session creation, SSE chat, upload, export, credits/state). They instruct generating an anonymous token if none is provided and to upload user images; they do not ask the agent to read unrelated system files, histories, or external endpoints.
Install Mechanism: okNo installation steps or downloads are present (instruction-only skill), so nothing is written to disk by an installer. This is the lower-risk configuration for skills.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared as required and that is proportional for a cloud rendering API. The SKILL.md also documents a flow to mint an anonymous token if no token is present (reasonable). The unexplained frontmatter configPaths entry suggests the skill might also look for local config (~/.config/nemovideo/) — that access wasn't declared in the registry metadata and is not justified in the prose.
Persistence & Privilege: okThe skill is not marked always:true, uses normal autonomous invocation defaults, and does not request system-wide persistence or modification of other skills. No elevated presence is requested.