Back to skill
Skillv1.0.0
ClawScan security
Ai Image To Video App · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 1:08 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are consistent with an image→video cloud rendering service: it only needs a single service token and describes API calls that match its purpose, but you should still confirm you trust the remote service before uploading media.
- Guidance
- This skill appears to do what it says: it will upload images to a cloud rendering API and return rendered videos, and it needs a single service token (NEMO_TOKEN). Before installing or running it: 1) Confirm you trust the domain mega-api-prod.nemovideo.ai and are comfortable uploading your images there (check privacy/retention policy). 2) Provide a least-privileged NEMO_TOKEN or an account you control for uploads. 3) Be aware the skill may read local install/config paths (your home dir) only to populate attribution headers — if you’re uncomfortable with that, inspect or sandbox the skill. 4) Note the SKILL.md and registry metadata slightly disagree about config paths; if origin/authenticity matters, ask the publisher for a known homepage or source before use.
Review Dimensions
- Purpose & Capability
- okName, description, and required credential (NEMO_TOKEN) align with a cloud image-to-video rendering service. The SKILL.md documents endpoints and workflows that match the declared purpose (session creation, upload, render/export).
- Instruction Scope
- noteInstructions are focused on connecting to the nemo API, opening a session, uploading images, streaming SSE results, polling render status, and downloading outputs — all within the tool's stated purpose. The skill also instructs the agent to read the file's YAML frontmatter and detect install path (~/.clawhub, ~/.cursor/skills/) to populate an X-Skill-Platform header; this requires reading some local paths (your home dir) but is explainable by the desire to include attribution headers. The runtime workflow will upload user media to a third-party API (mega-api-prod.nemovideo.ai), so privacy/consent considerations apply.
- Install Mechanism
- okInstruction-only skill with no install steps and no downloaded code—lowest installation risk.
- Credentials
- noteOnly one credential is required (NEMO_TOKEN), which is proportional for a cloud API. Minor inconsistency: the SKILL.md metadata lists a config path (~/.config/nemovideo/) while the registry metadata stated no required config paths; this is a small mismatch but not a functional red flag. The skill will use NEMO_TOKEN for all API calls; ensure that token is scoped appropriately and trusted by you.
- Persistence & Privilege
- okThe skill does not request always:true and does not ask to modify other skills or system-wide settings. It instructs saving session_id for ongoing jobs, which is normal for a service session.