Skillv1.0.0

ClawScan security

Ai Image To Video Animation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 4:26 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are largely consistent with an image→video cloud-rendering integration, with only minor inconsistencies (metadata vs registry) and a few design choices you should review before installing.
Guidance: This skill appears to do what it says: it talks to an external NemoVideo API to turn images into videos and needs a NEMO_TOKEN (or will request an anonymous one). Before installing, consider: (1) Do you trust the endpoint (https://mega-api-prod.nemovideo.ai)? the skill will make network calls and may store a session token locally. (2) If you prefer control, set your own NEMO_TOKEN in the environment rather than letting the skill request an anonymous token. (3) The SKILL.md mentions detecting install paths and a config directory (~/.config/nemovideo/) — review where session/tokens will be stored on your system and clear them if needed. (4) Monitor network activity and avoid granting the agent broader autonomous privileges if you don’t trust the service. If you want more assurance, ask the skill author for a privacy/storage policy or for explicit details about where tokens and generated media are saved.

Review Dimensions

Purpose & Capability: okThe skill's name/description (convert images to animated videos) aligns with the declared primary credential (NEMO_TOKEN) and the API endpoints referenced in SKILL.md. Requesting a token for the external nemo video service is expected for this purpose. Minor inconsistency: the top-level registry said no required config paths, but the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) — plausible for storing session state but inconsistent with the registry metadata.
Instruction Scope: noteSKILL.md is instruction-only and describes the exact API calls to perform (anonymous token acquisition, session creation, SSE streaming, upload, export polling). These actions stay within the stated purpose. The instructions do ask the agent to detect an install path (~/.clawhub/, ~/.cursor/skills/) to set an X-Skill-Platform header and to store session/token values for subsequent requests — both are implementation details that require filesystem and environment access; they are not strictly harmful but expand the scope beyond purely 'upload/convert/download'.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This is lower risk because nothing is written to disk by an install step. All runtime behavior comes from the SKILL.md instructions.
Credentials: okOnly NEMO_TOKEN is declared as required and is used by the API calls; SKILL.md also supports auto-obtaining an anonymous token if NEMO_TOKEN is not present. No unrelated secrets or multiple credentials are requested. The single-env requirement is proportionate to the stated cloud-rendering purpose.
Persistence & Privilege: noteThe skill instructs storing the anonymous/returned token and session_id for subsequent requests, which is expected for a session-based API. always:false (no forced global inclusion). This storage and reuse is normal for the service but you should be aware the skill will retain a session token and may use it for subsequent network calls.