Skillv1.0.0

ClawScan security

Maker From Photo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 6:34 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code-free instructions and requested NEMO_TOKEN align with a cloud-based photo→video service; nothing majorly out of scope, but there are a few small inconsistencies and privacy implications you should understand before use.
Guidance: This skill will upload any images you give it to a third-party API at mega-api-prod.nemovideo.ai and use a NEMO_TOKEN bearer token for authorization. If you don't provide a token the skill will request an anonymous token from that service (100 free credits, short expiry). Before installing or using: (1) don't upload images you consider highly sensitive, because they will be sent off-box; (2) verify you trust the domain (mega-api-prod.nemovideo.ai); (3) if you supply a long-lived NEMO_TOKEN, be prepared to rotate/revoke it if needed; (4) note the skill may need access to local file paths for uploads and may read install-path metadata for a header — ensure that matches your privacy expectations. The skill appears internally coherent for its stated purpose, but exercise normal caution about sending personal or proprietary media to an external service.

Review Dimensions

Purpose & Capability: okThe skill claims to convert still images into videos via a cloud backend and only requests a single service token (NEMO_TOKEN) which matches that purpose. The declared config path (~/.config/nemovideo/) is plausible for storing service config, but the SKILL.md does not explicitly instruct reading that path — a minor mismatch but not a strong red flag.
Instruction Scope: noteRuntime instructions are specific to the remote API: check NEMO_TOKEN, optionally obtain an anonymous token from the service, create a session, send SSE messages, and upload files (multipart or by URL). These steps require accessing user-supplied image files (paths or URLs) and making network calls to mega-api-prod.nemovideo.ai, which is coherent with the stated purpose. Note: instructions reference attaching local file paths (files=@/path) and auto-detecting an install path for X-Skill-Platform headers — both require the agent to access local filesystem metadata and user-provided files; this is expected but worth highlighting for privacy.
Install Mechanism: okThere is no install spec and no code files (instruction-only skill). This minimizes local installation risk — nothing is downloaded or written by an installer.
Credentials: noteOnly a single credential (NEMO_TOKEN) is required — appropriate for a cloud API. The SKILL.md also supports obtaining an anonymous token automatically if NEMO_TOKEN is absent. The metadata's configPaths entry is not referenced in the instructions; it's plausible but unexplained. No unrelated credentials or broad secrets are requested.
Persistence & Privilege: okThe skill is not always-enabled and doesn't request elevated agent privileges or modify other skills. It retains session state with the remote service (session_id) for job management, which is normal for a cloud job workflow.