Skillv1.0.0

ClawScan security

Image To Video Effects · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 20, 2026, 2:20 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (animating photos via a cloud rendering API) matches its instructions and requested credential, but there are a few small inconsistencies and privacy-relevant behaviors you should be aware of before installing.
Guidance: This skill routes uploaded images to a third-party cloud API (mega-api-prod.nemovideo.ai) to produce videos. It legitimately needs a NEMO_TOKEN but will automatically request an anonymous token if one isn't present — so it can operate without you providing secrets. Before installing, consider: (1) Do you trust the destination service with the images you will upload (privacy/sensitivity)? (2) Confirm the API host/domain and headers match what you expect; the skill requires custom attribution headers which may be used for billing/attribution. (3) The SKILL.md and registry disagree about a config path (~/.config/nemovideo/) — ask the publisher why that path is declared and whether the skill will read or write files there. (4) Check service terms/pricing (anonymous tokens have limited credits). If you plan to process sensitive images or need tighter control over credentials, avoid or audit further; otherwise the skill appears internally consistent with its stated purpose.

Review Dimensions

Purpose & Capability: noteThe name/description match the runtime instructions: the skill uploads images and drives a cloud API (mega-api-prod.nemovideo.ai) to render videos and returns download URLs. Requiring a NEMO_TOKEN is coherent for this cloud service. Minor inconsistency: the registry metadata earlier listed no required config paths, but the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) — this isn't necessary for the described functionality and is unexpected.
Instruction Scope: noteSKILL.md gives explicit procedural instructions for creating sessions, uploading files, long-polling SSE, and exporting — all within the declared purpose. It also instructs that if NEMO_TOKEN is absent the agent should POST to an anonymous-token endpoint and extract data.token for use; that behavior is functional but notable because it lets the skill obtain usable credentials automatically. The skill does not instruct reading other unrelated system files, but the declared config path in frontmatter is surprising.
Install Mechanism: okNo install spec and no code files (instruction-only). This is lowest-risk from an installation perspective — nothing is downloaded or written by the skill itself per the package.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared as required and is appropriate for a cloud rendering service. However, the skill is allowed to mint an anonymous token on first use by calling the service's auth endpoint, which means it can operate without a pre-provided user token. The frontmatter's configPaths entry (~/ .config/nemovideo/) appears unnecessary and is not reflected in the registry metadata — that mismatch reduces confidence that environment/config needs are cleanly declared.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent platform privileges. It does not instruct changing other skills or system-wide agent settings.