Skillv1.0.0

ClawScan security

Image To Video Low Vram · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 20, 2026, 3:51 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions align with its stated purpose (remote image→video rendering) and only ask for a service token; nothing requires unrelated credentials or local system-wide access.
Guidance: This skill appears to do what it says: it uploads user images to a remote rendering service and returns generated videos. Before installing, consider: 1) the skill will use or obtain a NEMO_TOKEN and store session state (tokens expire after 7 days for anonymous tokens); 2) it makes network calls to https://mega-api-prod.nemovideo.ai — if you need to audit data flows, review their privacy/retention policy because your uploaded images and any prompts are sent to that service; 3) clarify the minor metadata mismatch (SKILL.md frontmatter claims a config path ~/.config/nemovideo/ while the registry summary listed none) if you want to be sure the skill will not read local config files unexpectedly. If those points are acceptable, the skill is coherent with its purpose.

Review Dimensions

Purpose & Capability: okName/description (animate images into short videos on remote GPUs) match the runtime instructions: all network calls target a remote rendering API, uploads are supported, and an API token (NEMO_TOKEN) is required. The requested capability (NEMO_TOKEN + session management) is proportional to a cloud render service.
Instruction Scope: noteThe SKILL.md's runtime steps are focused on authentication, session creation, upload, SSE-based generation, and export polling — all consistent with a cloud-render workflow. Note: the doc instructs the agent to generate an anonymous token automatically if NEMO_TOKEN is not present and to store session_id/token for subsequent calls; it also says not to display raw token values. This is expected, but you should be aware tokens are created/stored and network calls are made to an external API. Also the frontmatter references a config path (~/.config/nemovideo/) and a platform-detection step (install path → X-Skill-Platform) — these are minor scope extensions (metadata/config awareness) but not suspicious on their own.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself. This is the lowest-risk install model.
Credentials: noteOnly one required env var (NEMO_TOKEN / primaryEnv), which is appropriate for a remote API. The instructions include a flow to obtain an anonymous token via the service if no token is present; that behavior is consistent with the declared credential. One minor inconsistency: the registry metadata summary at the top reported 'Required config paths: none', but the SKILL.md frontmatter lists a configPaths entry (~/.config/nemovideo/). This mismatch should be clarified (does the skill read that path or merely declare it?)
Persistence & Privilege: okSkill is not always:true and does not request elevated platform privileges. It stores session state/tokens for its own operation (normal). Autonomous invocation is allowed (default) but not combined with other broad permissions, so risk is standard for an agent-invokable connector.