Skillv1.0.0

ClawScan security

Ai Image In Video Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 25, 2026, 8:08 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (convert images to video via a cloud backend) matches most of its instructions, but there are small coherence issues and privacy-sensitive behaviors (anonymous token creation, mandatory API calls to an external endpoint, and a mismatched config-path declaration) that warrant caution before installing.
Guidance: This skill appears to do what it says (upload images to a cloud rendering service and return a video), but installing it means your images and related metadata will be sent to https://mega-api-prod.nemovideo.ai and the skill may create an anonymous NEMO_TOKEN for you. Before installing, consider: 1) Do you trust the service provider and its privacy policy for handling your images? 2) If you already have a NEMO_TOKEN, only provide a least-privilege token; avoid giving long-lived credentials that grant other unrelated access. 3) Ask the publisher to clarify why the SKILL.md declares a local config path (~/.config/nemovideo/) when registry metadata shows none, and whether the skill will read agent install paths or other filesystem locations. 4) If you need strong confidentiality for images (sensitive content, PII), avoid this skill unless you can confirm end-to-end handling, retention, and deletion policies. If you want to proceed, test with non-sensitive images first and monitor network requests.

Review Dimensions

Purpose & Capability: okThe skill declares a cloud backend for image→video rendering and only requests a single service credential (NEMO_TOKEN). That credential and the described API calls are consistent with the claimed functionality.
Instruction Scope: concernRuntime instructions require uploading user image files to https://mega-api-prod.nemovideo.ai, creating sessions, streaming via SSE, and polling render status. They also instruct generating an anonymous token if NEMO_TOKEN is absent. These network operations are consistent with the feature but involve sending user media and metadata to a third-party service. The skill also says it will 'detect install path' to set attribution headers, implying it may read the agent's install path; this is outside pure image-processing logic and should be clarified.
Install Mechanism: okNo install spec or code files are present (instruction-only), so nothing is written to disk by the skill itself. This is the lowest-risk install pattern.
Credentials: noteOnly NEMO_TOKEN is declared as required, which is appropriate. However, the SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) that the registry metadata did not list—this mismatch suggests the skill may expect local config access even though the registry didn't advertise it. The skill will generate and use an anonymous token if NEMO_TOKEN is not provided, which is expected but means the skill contacts the provider automatically.
Persistence & Privilege: okalways is false and the skill is instruction-only; it does not request permanent presence or modifications to other skills. Autonomous invocation is allowed (platform default) but not excessive here.