Skillv1.0.0

ClawScan security

Ai Image To Video Capcut · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 15, 2026, 7:03 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (convert images to videos) matches most of its instructions, but there are small yet important inconsistencies around declared config paths and token handling that you should understand before installing.
Guidance: This skill appears to do what it says (upload images, call a Nemovideo API, return an MP4), but two things to check before installing or using it: (1) verify the source — the package has no homepage and the registry metadata and SKILL.md disagree about config paths, which could indicate the skill will read or write ~/.config/nemovideo/ even though that wasn't declared; (2) the skill will look for or create a NEMO_TOKEN (it can request an anonymous token from the external API). If you do not trust the service, avoid providing other credentials, avoid uploading sensitive images, and consider running the skill in a sandboxed environment. If you want to proceed, ask the publisher where tokens are stored and whether session tokens are persisted on disk so you can inspect or remove them later.

Review Dimensions

Purpose & Capability: noteThe skill claims to call a Nemovideo cloud API and requires a NEMO_TOKEN — this is coherent with an image→video cloud service. However the SKILL.md metadata declares a config path (~/.config/nemovideo/) while the registry metadata lists no config paths, which is an internal inconsistency.
Instruction Scope: noteRuntime instructions are narrowly focused on API calls for session creation, SSE, uploads and exports (all consistent with the stated function). They also instruct the agent to detect install path to set an X-Skill-Platform header (reads local install path), and to obtain anonymous tokens automatically if none are present — both are within scope but expand the agent's actions to local file-system inspection and unsolicited network auth calls.
Install Mechanism: okNo install spec and no code files (instruction-only). This is the lowest-installation risk — nothing is downloaded or written by an install step in the package metadata itself.
Credentials: concernThe only declared credential is NEMO_TOKEN which is appropriate for the Nemovideo API. But SKILL.md instructs generating an anonymous NEMO_TOKEN via the service if none exists (network call), and the SKILL.md metadata suggests a config path (~/.config/nemovideo/) where tokens or session state might be stored — the registry metadata did not declare this. That mismatch raises questions about whether the skill will persist tokens or read local config beyond what's declared.
Persistence & Privilege: okalways is false and the skill does not request system-wide changes or other skills' configs. It does perform network calls and can be invoked autonomously (platform default) which is expected for a cloud-backed skill.