Skillv1.0.0

ClawScan security

Image To Video Free Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 8, 2026, 6:00 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions align with an image→video cloud service: it needs a NEMO_TOKEN (or can obtain an anonymous one), talks only to the stated nemo API endpoints, and has no install or unrelated credential requests.
Guidance: This skill will upload any image you give it to an external cloud backend (mega-api-prod.nemovideo.ai) for processing. It requires either you to provide a NEMO_TOKEN or it will request an anonymous token from that service on your behalf (the anonymous token grants limited free credits and expires). Before installing or using: 1) Confirm you are comfortable with the privacy implications of uploading images to a third-party service (do not upload sensitive images). 2) Do not provide unrelated secrets; only NEMO_TOKEN is required. 3) Be aware the skill may create an anonymous token automatically if you don't provide one — this is expected behavior per the instructions. 4) Verify the external service/domain is trustworthy if you need stronger assurance (this manifest contains no independent provenance or homepage). If any of these points are unacceptable, do not install or provide credentials.
Findings: [no-regex-findings] expected: The static scanner found no code-level patterns because this is an instruction-only skill; network calls and behavior are described in SKILL.md rather than present as code to scan.

Purpose & Capability: okName/description describe image-to-video generation and the skill only asks for a NEMO_TOKEN and a nemovideo config path, which match the stated cloud backend usage.
Instruction Scope: noteSKILL.md instructs the agent to check NEMO_TOKEN, create an anonymous token via the nemovideo auth endpoint if missing, create a session, upload images, use SSE, poll renders, and return signed video URLs. Those steps are within the expected scope for a remote image-to-video pipeline, but the skill will upload user images and make network calls to the mega-api-prod.nemovideo.ai domain — users should be aware their files and metadata are sent to that external service. The skill also suggests detecting the install path to set an attribution header (minor filesystem check).
Install Mechanism: okInstruction-only skill with no install spec or archive downloads; nothing is written to disk by an installer in the manifest.
Credentials: okOnly a single credential (NEMO_TOKEN) and an optional config path (~/.config/nemovideo/) are declared. The SKILL.md behavior (using NEMO_TOKEN or obtaining an anonymous token) aligns with that requirement and does not request unrelated secrets or additional environment variables.
Persistence & Privilege: okSkill is not always-enabled, does not request persistent system-level privileges, and does not modify other skills or global agent settings according to the instructions.