Skillv1.0.0

ClawScan security

Ai Image To Video Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 5, 2026, 2:26 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with an image→video cloud service: it needs a single service token, calls a remote API to upload images and stream results, and has no installer or unrelated credential requests.
Guidance: This skill will send any image or URL you provide to an external service (mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN (or will request an anonymous token on your behalf). Before using it, consider: (1) Privacy — do not upload sensitive or private images unless you trust the service and understand its retention/data policies; (2) Token handling — if you supply a NEMO_TOKEN, treat it like a secret; the skill warns not to print tokens but it will use them to authenticate; (3) Verify the service/domain if you need provenance or legal guarantees (the skill's source/homepage is unknown); (4) Network activity — the skill performs uploads, streaming SSE, and polling the API (this will generate outbound network traffic). If these behaviors are acceptable for your use case, the skill appears coherent; if not, avoid installing or test in an isolated environment.

Purpose & Capability: okThe skill is an instruction-only wrapper for a cloud image-to-video API. Requesting NEMO_TOKEN and a config path under ~/.config/nemovideo/ is proportional to that purpose. There are no unrelated credentials or unexpected binaries required.
Instruction Scope: noteInstructions direct the agent to obtain or use a NEMO_TOKEN, create sessions, upload images, stream SSE results, and poll exports — all expected for a cloud processing pipeline. The file asks the agent to read its own YAML frontmatter and to detect an install path to set X-Skill-Platform; this implies the agent may inspect its runtime/install path, which is reasonable for attribution but is outside strictly necessary image-processing logic. The skill will transmit user-supplied images and possibly URLs to an external service; users should be aware of privacy implications.
Install Mechanism: okNo install spec or code is provided — lowest risk for local disk changes. All heavy work is performed by the remote API.
Credentials: okOnly a single service credential (NEMO_TOKEN) is required and declared as the primaryEnv. The SKILL.md also describes how to obtain an anonymous token if none is provided. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege: okalways is false and the skill is user-invocable only. It does not request persistent system-wide modifications or other skills' configs. No elevated privileges are requested.