Skillv1.0.0

ClawScan security

Video Generator Free From Image · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 2:34 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud-based image→video service: it needs one service token (NEMO_TOKEN), talks to the stated backend API, and uploads user images for server-side rendering — nothing requested appears unrelated to the stated purpose.
Guidance: This skill appears to do what it says: it sends your images to a nemovideo backend, creates sessions, and returns rendered video URLs. Before using it: (1) be aware your images (and any metadata) will be uploaded to an external service — avoid uploading sensitive/private images unless you trust the service and its retention/privacy policies; (2) you can supply your own NEMO_TOKEN if you have an account, otherwise the skill will obtain an anonymous token for you (temporary credits); (3) metadata mentions a config path (~/.config/nemovideo/) — ask whether session tokens or logs are stored locally and where; (4) verify the backend domain (mega-api-prod.nemovideo.ai) and review vendor/privacy docs if possible. If you need the skill to avoid external uploads entirely, do not install/use it.

Review Dimensions

Purpose & Capability: okThe name/description match the runtime instructions: the skill calls a remote 'nemovideo' API, creates sessions, uploads images, streams SSE results, polls render endpoints and returns download URLs. Requiring a single NEMO_TOKEN credential and a config path for nemovideo is consistent with a cloud-render video service.
Instruction Scope: noteInstructions are narrowly focused on session creation, SSE streaming, uploads, polling render jobs and exporting results. One notable behavior: if NEMO_TOKEN is absent the skill will request an anonymous token from the remote endpoint (POST /api/auth/anonymous-token) and treat the returned token as NEMO_TOKEN. Also, the skill will upload user images to the remote service — this is necessary for its functionality but is a privacy/hosted-data transfer you should expect. The SKILL.md says not to expose tokens or raw API output, but it does not specify how tokens/session_id should be persisted (metadata mentions ~/.config/nemovideo/).
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That is the lowest-risk install model and is proportionate for a connector to a cloud API.
Credentials: noteOnly one environment variable (NEMO_TOKEN) is required as the primary credential, which is appropriate for a hosted service. The skill will generate and use an anonymous token if none is provided, granting temporary credits — this is expected but means the agent will contact an external API on your behalf. Metadata also references a config path (~/.config/nemovideo/) which suggests possible local storage of session/token data; the SKILL.md does not clearly state whether it will write to that path.
Persistence & Privilege: okalways:false (default) and no install hooks are present. The skill may run autonomously per platform defaults but does not request elevated or system-wide privileges, nor does it instruct modification of other skills or global agent settings.