Skillv1.0.0

ClawScan security

Free Image To Video Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 12:50 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches its description (it uploads images to an external AI video service and uses a single token), but there are small inconsistencies and privacy-risk actions (anonymous token minting and external uploads) and the package has no identifiable source or homepage.
Guidance: This skill will upload images to an external service (mega-api-prod.nemovideo.ai) and needs a NEMO_TOKEN or will call the service to get an anonymous token for you. Before installing: 1) Consider privacy — do not use with sensitive images unless you trust the service; images and metadata will leave your device. 2) The skill has no homepage or source repository; verify the publisher/trustworthiness before use. 3) Ask the publisher to clarify the configPath discrepancy (~/.config/nemovideo/ appears in the skill but not in registry metadata) and whether tokens are stored persistently and where. 4) If you proceed, monitor network activity for unexpected endpoints, prefer using your own explicit NEMO_TOKEN (not automatic anonymous minting) if you need auditable access, and test with non-sensitive images first. If you want higher assurance, request an official homepage, privacy policy, or source code for review.

Review Dimensions

Purpose & Capability: noteThe declared primary credential (NEMO_TOKEN) is consistent with a cloud video rendering service. However the SKILL.md frontmatter references a config path (~/.config/nemovideo/) and install-path detection for X-Skill-Platform, while the registry metadata indicated no required config paths — this mismatch is inconsistent and worth asking the author about. Otherwise the requested capabilities (session creation, upload, export) align with the stated purpose.
Instruction Scope: noteRuntime instructions are explicit and stay within the image→video workflow: check NEMO_TOKEN, obtain an anonymous token if missing (POST to https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token), create a session, upload files or URLs, use SSE for generation, and poll exports. The instructions do require network calls to an external API and include logic to detect install path and add attribution headers. The skill does not instruct reading unrelated user files or environment variables beyond NEMO_TOKEN, but it will upload user images to an external service — a privacy-sensitive action that is expected for this skill but should be noticed.
Install Mechanism: okNo install spec or code files are present (instruction-only), so nothing is written to disk or downloaded during install. This is lower risk from an installation perspective.
Credentials: noteOnly one credential is requested (NEMO_TOKEN), which is appropriate for a hosted API. The SKILL.md also describes dynamically minting an anonymous token when no NEMO_TOKEN is present; that behavior is coherent with operation but means the skill performs network authentication on first use. There is a minor inconsistency between the registry (no config paths) and the frontmatter (lists ~/.config/nemovideo/).
Persistence & Privilege: okThe skill is not marked always:true and is instruction-only; it does not request persistent platform privileges or claim to modify other skills. It will maintain session IDs/tokens in-memory for operations, which is standard for this type of integration.