Skillv1.0.0

ClawScan security

Image To Video Ai Generator Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 8, 2026, 6:53 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches an image→video assistant but has ambiguous/overbroad runtime instructions around token handling, filesystem attribution, and session persistence that the user should understand before installing.
Guidance: This skill will contact api.nemovideo.ai, upload images, and store a session token so it can call the service on your behalf. Before installing: (1) Decide whether you trust mega-api-prod.nemovideo.ai with any images you upload (they may contain PII). (2) Note the skill can auto-create an anonymous NEMO_TOKEN if you do not provide one — if you prefer control, supply your own token from a trusted account. (3) Ask where session_id and tokens are stored (metadata references ~/.config/nemovideo/) and how to revoke/delete them; if you’re uncomfortable with persistent tokens, don’t install. (4) Because this is instruction-only (no code to inspect), consider testing with non-sensitive images first or running in a restricted environment. If you want, I can list the specific API calls and headers the skill will use or help craft a privacy checklist to decide whether to proceed.

Review Dimensions

Purpose & Capability: noteThe declared purpose (animate images via a free cloud backend) aligns with requests to call the nemovideo.ai API and use a NEMO_TOKEN. Minor inconsistency: the registry declares NEMO_TOKEN as required but the runtime instructions also describe automatically obtaining an anonymous token if none is present.
Instruction Scope: noteInstructions direct the agent to call multiple external endpoints (authentication, SSE run, upload, render, credits/state endpoints) and to upload files/URLs to the backend — expected for this skill. They also instruct the agent to detect install path and read the skill's frontmatter for attribution headers and to 'store the returned session_id' for later requests. That implies filesystem access and secret/session storage but does not specify storage location or retention, creating ambiguity about what will be written to disk and what is kept secret.
Install Mechanism: okNo install spec or bundled code is present (instruction-only), so nothing is written to disk by an installer. Network calls happen at runtime instead; this is lower installation risk.
Credentials: noteOnly one credential (NEMO_TOKEN) is requested, which is reasonable for a hosted service. However, the skill both declares the env var as required and describes a flow to obtain an anonymous token itself — a mismatch the user should know about. Metadata also lists a config path (~/.config/nemovideo/) suggesting persistent storage of session information.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated system privileges, but it does instruct storing a session_id and references a config path. The lack of explicit guidance about where session data or tokens are stored and for how long is a persistence/privacy concern.