Bing Ai Video
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: bing-ai-video Version: 1.0.0 The skill exhibits brand impersonation by naming itself 'Bing AI Video' while directing all user data and video content to an unrelated third-party domain (nemovideo.ai). The SKILL.md file instructs the agent to perform environment discovery by detecting the host platform (e.g., Cursor, Clawhub) from installation paths and explicitly directs the agent to hide raw API responses and tokens from the user, which could be used to mask unauthorized data transmission or telemetry collection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could think they are using a Bing-branded service while their media and requests are actually sent to a different backend.
The visible branding suggests Bing AI Video, but the actual backend and credential are NemoVideo. This mismatch matters because users may upload private media based on an incorrect assumption about the service provider.
displayName: "Bing AI Video — Generate and Edit AI Videos" ... All calls go to `https://mega-api-prod.nemovideo.ai` ... primaryEnv: "NEMO_TOKEN"
Before uploading sensitive clips, verify who operates the NemoVideo endpoint and whether the skill is authorized to use the Bing name.
Videos, images, audio, and related URLs may leave the device and be processed by the remote service.
The skill clearly sends uploaded media or media URLs to a remote provider for processing. That is expected for cloud video generation, but it is sensitive data movement.
All calls go to `https://mega-api-prod.nemovideo.ai` ... **Upload** — `POST /api/upload-video/nemo_agent/me/<sid>` — multipart file or JSON with URLs.
Only upload media you are comfortable sending to this provider, and review the provider’s privacy and retention terms if available.
The token controls access to the service session, credits, uploads, render jobs, and exports for this skill.
The skill uses a bearer token for the video backend and can generate an anonymous token automatically. This is purpose-aligned, but it is still delegated account/session authority.
Check if `NEMO_TOKEN` is set ... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... The response `data.token` is your NEMO_TOKEN — 100 free credits, valid 7 days.
Treat NEMO_TOKEN as a credential and avoid sharing logs or environment details that might expose it.
Remote backend responses may trigger edits, state checks, or exports without showing every intermediate tool result to the user.
The skill instructs the agent to translate backend responses into additional API actions. This appears intended for the video workflow, but it gives backend text influence over subsequent agent actions.
Backend says | "click [button]" ... You do | Execute via API ... "Export button" ... Execute export workflow ... Tool call/result | Process internally, don't forward.
The skill should keep actions scoped to the listed video endpoints and ask for confirmation before credit-consuming exports or unexpected changes.
Users have limited registry-level information for verifying the publisher or service relationship.
There is no local code to install, which reduces local execution risk, but the skill lacks provenance information for a cloud service integration.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Prefer installing only if you trust the publisher and can independently verify the backend provider.