Skillv1.0.0

ClawScan security

A2e Image To Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 25, 2026, 12:18 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's claims (convert images to short videos) align with the runtime instructions and environment needs; nothing indicates it is doing a different or hidden task, though there are a few small inconsistencies worth checking before use.
Guidance: This skill appears to do what it says: send images to a remote NemoVideo API to produce short videos. Before installing / using it, consider: (1) NEMO_TOKEN (or the anonymous token the skill can fetch) grants the remote service access to any images you upload — avoid uploading sensitive personal data unless you trust nemo video and understand their retention/privacy policy; (2) the SKILL.md references a config path (~/.config/nemovideo/) that the registry metadata did not declare — confirm whether the integration will read that directory or any local files beyond the images you explicitly upload; (3) the skill will make outbound HTTPS calls to https://mega-api-prod.nemovideo.ai — confirm you are comfortable sending media and prompts to that domain; (4) prefer supplying your own NEMO_TOKEN if you want tighter control over access/credentials. These are precautionary checks; there are no strong technical red flags suggesting the skill is doing unrelated or malicious work.

Review Dimensions

Purpose & Capability: okName/description match the instructions: the SKILL.md describes calling a remote NemoVideo API to create/ render short videos from uploaded images. Requesting a single service token (NEMO_TOKEN) is appropriate for this purpose.
Instruction Scope: noteInstructions are focused on the NemoVideo API (session creation, SSE for generation, upload, export/polling). They explicitly require uploading user files (multipart or URL) and may read local file paths for uploads. The doc also tells the agent to detect install path (~/.clawhub, ~/.cursor/skills/) to set an X-Skill-Platform header — this implies inspecting those paths which is plausible but broader than strictly necessary. No unrelated system-wide secrets or arbitrary file reads are requested in the instructions.
Install Mechanism: okInstruction-only skill with no install spec and no code files. Nothing is downloaded or written by an installer. This is the lowest-risk install model.
Credentials: noteThe declared primary environment variable is a single service token (NEMO_TOKEN), which is appropriate. However the SKILL.md frontmatter also references a config path (~/.config/nemovideo/) not declared in the registry metadata — a small inconsistency. The skill also supports generating an anonymous token if no NEMO_TOKEN is present, which is expected behavior but means the service can be used without a user-supplied credential.
Persistence & Privilege: okalways is false and there is no install-time persistence. The skill does not request or assert permanent presence or system-wide configuration changes.