Skillv1.0.0

ClawScan security

Picture To Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 28, 2026, 5:09 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-based image→video service, but the source is unknown and it will upload user images to an external API (no homepage or vendor info provided).
Guidance: This skill appears coherent for sending images to a remote renderer, but note: (1) the skill will upload any images you give it to an external domain (mega-api-prod.nemovideo.ai) — do not send sensitive or private images unless you trust the service; (2) the package has no homepage or vendor info, so you can't easily verify operator policies or data retention; (3) you can pre-set a vetted NEMO_TOKEN in your environment instead of allowing the skill to request an anonymous token; and (4) if you need privacy guarantees, ask for the service's privacy/TOS or run conversions locally with a trusted tool. If you decide to install, monitor outbound network activity and avoid submitting PII or confidential media until you've verified the provider.

Purpose & Capability: okThe skill claims to convert images to videos on a cloud backend and all declared requirements (a single NEMO_TOKEN) and the API endpoints described align with that purpose. Requiring a service token for remote rendering is expected.
Instruction Scope: noteInstructions stay inside the stated purpose (session creation, upload, SSE for generation, export/polling). They do instruct the agent to inspect the environment for NEMO_TOKEN, to generate an anonymous token if missing, and to detect install path (~/.clawhub, ~/.cursor/skills/) to set an X-Skill-Platform header. Those small local checks are explainable but worth noting since they cause the agent to examine local paths.
Install Mechanism: okNo install spec and no code files are present (instruction-only), so nothing is written to disk by an installer. This is the lowest-risk install profile.
Credentials: okOnly a single credential (NEMO_TOKEN) is declared as required and used for the service. The SKILL.md documents a reasonable fallback (obtain an anonymous token) when the env var is absent. No unrelated credentials are requested.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent platform privileges. It stores session_id for job orchestration (expected for a cloud rendering workflow) and does not modify other skills or global agent configuration.