Skillv1.0.0

ClawScan security

Ai Image To Video Gratis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 8:13 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and instructions are generally consistent with a cloud image-to-video service (it needs a NEMO_TOKEN and talks to nemovideo APIs), but there are small metadata inconsistencies and normal privacy/exfiltration considerations you should understand before uploading files or allowing the agent to acquire/store tokens.
Guidance: This skill appears to do what it says: it will upload images you give it to a third‑party cloud service (mega-api-prod.nemovideo.ai) and return rendered videos. Before installing or using it: 1) Do not upload sensitive images or files you don't want sent to an external service. 2) Confirm whether you want the agent to auto-acquire and store an anonymous NEMO_TOKEN; prefer using a token you control if you care about provenance/retention. 3) Ask the publisher (or inspect runtime) to clarify the config path behavior (~/.config/nemovideo/) because the registry metadata and SKILL.md disagree. 4) If you need stronger assurance, verify the service domain and privacy/retention policy for nemovideo, and restrict the agent's file-access scope so it can only read images you explicitly provide.

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions: calls a nemo video backend, uploads image files, creates sessions, renders and returns download URLs. Requiring NEMO_TOKEN is coherent for a hosted API. Note: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata above said no config paths — this is a minor inconsistency.
Instruction Scope: noteInstructions stay within the stated purpose: check for NEMO_TOKEN, obtain an anonymous token if missing, create a session, upload images, stream SSE, and poll a render endpoint. The skill expects to accept local file paths or URLs and will upload those files to the third-party API — which is expected for this use-case but means any file you point it at will be transmitted to the service. The instructions do not ask the agent to read arbitrary unrelated system files or unrelated environment variables.
Install Mechanism: okNo install spec and no code files — instruction-only. This minimizes installation risk because nothing is written to disk by an installer in advance.
Credentials: noteOnly one declared credential (NEMO_TOKEN / primaryEnv) is required, which matches the API usage. The skill also describes a flow to obtain an anonymous token if NEMO_TOKEN is absent. Consider whether you want an agent to auto-acquire and retain that token on your behalf. There are no other unrelated secrets requested.
Persistence & Privilege: okalways:false and no instructions to modify other skills or global agent settings. The skill keeps a session_id for job operations (expected). The only slight concern is the SKILL.md frontmatter listing a config path (~/.config/nemovideo/) — if the agent actually reads or writes that path it would create local persistence; the registry metadata earlier contradicts this, so confirm intended behavior.