ClawHub
Back to skill
v1.0.0

Brand Video Maker Free

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 11:34 PM.

Analysis

This skill appears purpose-aligned for making videos, but it sends your images, text, and render jobs to a NemoVideo cloud service using a service token.

GuidanceInstall only if you are comfortable sending your product photos, logo, text prompts, and draft video state to the NemoVideo cloud service. Keep NEMO_TOKEN secret, monitor credit usage, and review the project state before exporting important brand content.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityLowConfidenceMediumStatusNote
SKILL.md
The backend responds as if there's a visual interface. Map its instructions to API calls: - "click" or "点击" → execute the action via the relevant endpoint

Remote backend text can influence the agent to perform follow-up API actions. This is purpose-aligned for the service workflow, but users should know backend responses are treated as operational instructions.

User impactThe cloud service can guide the agent through additional video-editing or export steps within the project.
RecommendationReview requested edits and exports before relying on the final output, especially if the media or brand assets are sensitive.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Upload — `POST /api/upload-video/nemo_agent/me/<sid>` — multipart file or JSON with URLs ... Export — `POST /api/render/proxy/lambda` with render ID and draft JSON.

The skill can upload media and start export/render operations through external APIs. These actions are central to the video-making purpose, but they affect user media and service credits.

User impactYour files may be uploaded and export jobs may consume available credits.
RecommendationOnly upload files you intend to process with this service and confirm export actions when credits or sensitive assets are involved.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
metadata
Source: unknown
Homepage: none

The skill has limited provenance metadata. There are no install dependencies or code files, but users are still relying on the authored instructions and the external cloud backend.

User impactIt may be harder to independently verify who maintains the skill or where to review provider documentation.
RecommendationVerify the service and publisher through trusted channels before uploading confidential brand assets.
Cascading Failures
SeverityInfoConfidenceMediumStatusNote
SKILL.md
Each export job queues on a cloud GPU node ... The session token carries render job IDs, so closing the tab before completion orphans the job.

Export jobs can continue remotely and become hard to track if the session is interrupted. This is disclosed and tied to rendering, but users should notice the remote-job behavior.

User impactAn interrupted export may leave a remote render job running or difficult to recover.
RecommendationKeep the session open until export completion and save any returned render or download information.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Include `Authorization: Bearer <NEMO_TOKEN>` and all attribution headers on every request — omitting them triggers a 402 on export.

The skill requires a bearer token for the NemoVideo service. This is expected for the cloud integration, but the token authorizes session and render activity.

User impactAnyone with the token could potentially use the associated service access or credits.
RecommendationKeep NEMO_TOKEN private, rotate it if exposed, and use only the minimum service account or anonymous token needed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceMediumStatusNote
SKILL.md
Keep the returned `session_id` for all operations. ... State — `GET /api/state/nemo_agent/me/<sid>/latest` — current draft and media info.

The skill relies on remote session state containing draft and media information. This is necessary for editing continuity, but that state can influence later actions in the same project.

User impactIncorrect or stale remote state could affect subsequent edits or exports, and draft/media details are stored by the service during the session.
RecommendationAsk for a state summary before exporting important work and avoid mixing unrelated projects in the same session.
Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
All calls go to `https://mega-api-prod.nemovideo.ai`. ... Chat (SSE) — `POST /run_sse` ... Upload — `POST /api/upload-video/nemo_agent/me/<sid>`

Prompts, media uploads, chat messages, and render state are sent to an external provider over documented endpoints. This is disclosed and purpose-aligned, but it crosses a data boundary.

User impactYour product photos, logo, text, and video draft data may be processed by the external NemoVideo service.
RecommendationDo not upload confidential, regulated, or unreleased assets unless you trust the provider's data handling.