Skillv1.0.0

ClawScan security

Ai Image To Video Motion · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 24, 2026, 10:20 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are internally consistent with an image-to-video cloud rendering service, but there are small mismatches in metadata and some behavior (automatic anonymous token creation and local session storage) you should be aware of before installing.
Guidance: This skill appears to be a straightforward client for a third‑party rendering backend (mega-api-prod.nemovideo.ai). Before installing, consider: 1) NEMO_TOKEN access — the skill will use that token for all API calls; if you don't provide one it will automatically request an anonymous token (100 credits, 7 days) and store session info locally — ask where tokens/session IDs will be saved and for how long. 2) Metadata mismatch — SKILL.md references a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths; ask the author to clarify storage location. 3) Privacy — uploaded images and any text prompts will be sent to the nemovideo backend; avoid uploading sensitive images or PII unless you trust that service and its privacy policy. 4) Attribution headers and auto-detection of install path are benign but you may want to confirm what 'X-Skill-Platform' detection reads from (does it access filesystem paths?). If these points are acceptable or clarified by the developer, the skill is coherent for its stated purpose.

Review Dimensions

Purpose & Capability: okName and description (animate still images into short MP4s) match what the SKILL.md instructs: uploading images, creating sessions, SSE-based edits, and export endpoints. The single required credential (NEMO_TOKEN) is appropriate for a third-party API.
Instruction Scope: noteInstructions stay within the stated purpose (upload images, run SSE chat edits, poll render status, return download URL). The skill will auto-generate an anonymous token and call the service endpoints if NEMO_TOKEN is not present, and it instructs storing a session_id for later requests. This is expected for a cloud-rendering workflow, but automatic token generation/storage should be called out to users and requires storage of credentials/session state.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an installer step described in SKILL.md.
Credentials: noteOnly NEMO_TOKEN is declared as required, which is proportional. However, the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata shows 'Required config paths: none' — this mismatch is an incoherence you may want clarified. The skill also requires adding attribution headers to API calls (not env secrets) which is reasonable but noteworthy.
Persistence & Privilege: okSkill is not forced-always; it is user-invocable and allowed to invoke autonomously (platform default). It asks to store session state (session_id and possibly anonymous token) for subsequent requests — normal for a service client, but you should confirm where/how long tokens are persisted.