Skillv1.0.0

ClawScan security

Video Maker With Photos Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 21, 2026, 4:04 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are largely consistent with a photo→video cloud rendering service, but review privacy and the declared credential handling before installing.
Guidance: This skill appears to be a straightforward front-end for a third‑party cloud video service and will upload any photos you give it to mega-api-prod.nemovideo.ai for server-side rendering. Before installing, consider: 1) Privacy — your images and any captions are sent to an external service; review their privacy/terms and avoid uploading sensitive content. 2) Credentials — NEMO_TOKEN (a Bearer token) grants API access; only provide a token you control and do not reuse credentials from other services. The skill can request a temporary anonymous token itself, so supplying a token is optional in practice; check why the registry declares it required. 3) Trust & provenance — the skill's source/homepage is unknown; if this matters, verify the service operator or prefer a skill from a known publisher. 4) Billing/credits — the instructions mention credits and anonymous tokens with limited credits/expiry; confirm any paid usage before submitting many or large files. If you want a stronger assessment, provide the skill publisher's homepage or the service privacy policy so I can check domain reputation and data retention practices.

Purpose & Capability: noteName/description (turn photos into videos) match the API endpoints and actions described (session, upload, render). Small inconsistency: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) but the registry metadata shown above lists no required config paths — this is likely minor metadata drift but worth noting.
Instruction Scope: okSKILL.md instructs only to connect to the nemovideo API, create sessions, upload image files, stream SSE events, poll export status, and return download URLs. It does not instruct reading unrelated local files or other environment variables. Important operational behavior: user image files and any metadata are uploaded to a remote domain (mega-api-prod.nemovideo.ai).
Install Mechanism: okInstruction-only skill (no install spec, no code files). This is the lowest-risk install pattern because nothing is written to disk by an installer.
Credentials: noteThe only declared required env var is NEMO_TOKEN (primary credential), which is appropriate for an API-backed service. SKILL.md, however, can obtain an anonymous short-lived token if NEMO_TOKEN is absent, so listing NEMO_TOKEN as strictly required is slightly inconsistent. Bearer tokens grant API-level access—do not reuse sensitive credentials from other services.
Persistence & Privilege: okalways:false and normal agent invocation; the skill does not request permanent/always-on privileges or modification of other skills' configs.