Ai Music Video App
PassAudited by ClawScan on May 11, 2026.
Overview
This appears to be a coherent cloud music-video generation skill, but it will use a NemoVideo token and send user prompts and uploaded media to an external API.
Use this skill if you are comfortable sending your audio/media files and prompts to `https://mega-api-prod.nemovideo.ai`. Prefer a dedicated NEMO_TOKEN, avoid sensitive files, and review generated exports before sharing them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can act within the NemoVideo API session associated with the token, including checking credits, uploading media, generating content, and exporting videos.
The skill uses a provider credential or creates an anonymous provider token to access NemoVideo services. This is expected for the cloud rendering workflow and is disclosed.
**Token**: If `NEMO_TOKEN` environment variable is already set, use it... **Free token**: Generate a UUID... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`
Use a dedicated token if possible, do not share it in chat, and monitor any credit or account usage tied to the token.
Uploaded songs, media assets, and generation prompts may be received and processed by the external NemoVideo service.
The workflow sends user prompts and selected media files to an external cloud API for processing. This is central to the stated purpose, but it is still a sensitive data boundary.
**Send message (SSE)**: POST `/run_sse`... `"text":"<msg>"` ... **Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`
Only upload files you are comfortable sending to the provider, and avoid using sensitive, private, or rights-restricted media unless you trust the service terms.
The provider's responses may guide the agent to perform follow-up actions such as querying state or exporting within the current session.
The artifact instructs the agent to treat backend responses as workflow instructions that can trigger further API calls. This is purpose-aligned and scoped to the provider workflow, but backend-driven actions should remain bounded by the user's request.
The backend responds as if there's a visual interface. Map its instructions to API calls: ... "click" ... → execute the action via the relevant endpoint ... "Export" ... → run the export workflow
Keep prompts specific, review important outputs such as exports, and avoid asking the skill to operate on files or sessions you do not intend to process.