Back to skill
Skillv1.0.0
ClawScan security
Jogg Ai Image To Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 4:48 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (convert images to short videos) aligns with the requests it makes (a single NEMO_TOKEN and calls to nemovideo.ai); there are minor metadata inconsistencies and you should still review privacy/trust before uploading images.
- Guidance
- This skill appears to do what it says: it uploads images to a nemovideo.ai backend to render short videos and only needs an API token. Before installing, consider: (1) Privacy — your images (up to 200MB) will be sent to an external service; avoid uploading sensitive or private photos unless you trust the provider. (2) Token handling — the skill can auto-generate an anonymous token if NEMO_TOKEN is not set; if you prefer control, set NEMO_TOKEN yourself. (3) Metadata mismatch — the frontmatter mentions a local config path (~/.config/nemovideo/) which the registry did not list; confirm whether the skill will read or write local files if that matters. (4) Trust the domain — requests go to mega-api-prod.nemovideo.ai; if you need stronger assurance, ask for a homepage, privacy policy, or the operator identity before use. If you are comfortable with those trade-offs, the skill is internally consistent and low-risk from an installation perspective.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description match the actions in SKILL.md: uploading images, creating sessions, rendering, and returning video URLs on mega-api-prod.nemovideo.ai. Requesting NEMO_TOKEN is coherent for an API-backed renderer. One inconsistency: the SKILL.md frontmatter advertises a config path (~/.config/nemovideo/) while the registry metadata listed no required config paths — this is likely benign but worth confirming.
- Instruction Scope
- okRuntime instructions stay within the described domain: authenticate (or obtain an anonymous token), create a session, upload media, use SSE for edits, poll export status, and return download URLs. The skill instructs generating an anonymous token if NEMO_TOKEN is not present and to avoid showing raw tokens to users. The instructions do not ask the agent to read unrelated files, other service credentials, or arbitrary system data.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. No downloads or archive extraction. This is the lowest install risk.
- Credentials
- noteOnly NEMO_TOKEN is required/declared as the primary credential, which is proportionate to a cloud-rendering API. The frontmatter's mention of a config path (~/.config/nemovideo/) is not reflected in the registry metadata; it could indicate the skill expects or can use a local config directory but SKILL.md doesn't instruct reading it. No other unrelated credentials are requested.
- Persistence & Privilege
- okalways:false (not force-included). The skill suggests storing session_id and using tokens for subsequent requests, which is normal for an API client. It does not request to modify other skills or global agent settings.