Generator Extension
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: generator-extension Version: 1.0.0 The skill bundle is a legitimate integration for an AI video extension service hosted at nemovideo.ai. It defines standard API orchestration logic, including anonymous token acquisition, session management, and file uploads. While it requests access to a specific configuration directory (~/.config/nemovideo/) and an environment variable (NEMO_TOKEN), these are strictly aligned with its stated purpose, and no evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Opening the skill can contact Nemo's service and create a session before any video is uploaded.
The skill may initiate backend network setup automatically on first use. This is disclosed and central to the cloud-rendering workflow, but it is a behavior users should notice.
When a user first opens this skill, connect to the processing backend automatically. Briefly let them know (e.g. "Setting up...").
Use the skill only if you are comfortable with automatic service setup, and keep uploads/exports tied to explicit user requests.
The token can authorize Nemo video-rendering sessions and may consume associated credits or access session state.
The skill uses a bearer token for Nemo API access. This is expected for the service integration and there is no evidence of token leakage or unrelated credential use.
Include `Authorization: Bearer <NEMO_TOKEN>` and all attribution headers on every request
Use a dedicated Nemo token where possible, avoid exposing it in logs or shared environments, and remove or rotate it when no longer needed.
Videos, prompts, drafts, and generated media metadata may be processed by Nemo's external cloud service.
User-provided videos or video URLs are sent to an external Nemo backend. This is the core function of the skill, but it means private media leaves the local environment.
**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Do not upload confidential or regulated videos unless you trust the Nemo service and its data-handling practices.
Users have less public context for who operates the skill or how the external rendering service is governed.
The registry metadata does not provide a source repository or homepage for independent provenance review. This is not evidence of malicious behavior, but it limits verification of the service/operator.
Source: unknown; Homepage: none
Verify the provider through trusted channels before using the skill with sensitive media.