v1.0.1

Linkedin Video Maker

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 10:17 PM.

Analysis

This skill is a cloud video-rendering helper that clearly uses an external service and token, with no evidence of hidden code or malicious behavior.

GuidanceBefore installing, be comfortable with sending your video clips, images, prompts, and project state to the NemoVideo cloud API. The skill does not include local executable code, but it does use a bearer token, remote agent communication, cloud uploads, and cloud rendering jobs.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

SKILL.md

Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow

The skill lets backend messages influence the agent's next API action. This is disclosed and tied to the video workflow, but users should know remote backend responses can steer workflow actions.

User impactThe video service can guide editing/export steps inside the session, rather than every step being directly chosen by the user.

RecommendationUse the skill for intended video-generation tasks and review outputs before posting or sharing them.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`

The skill supports uploading local files or URLs to an external backend. This is necessary for video creation, but it is still a sensitive tool capability involving user media.

User impactFiles or URLs you provide can be sent to the NemoVideo backend for processing.

RecommendationOnly provide media you are comfortable uploading to the external rendering service.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none

The skill has no install-time code, but its registry provenance is limited and it depends on an external backend service.

User impactUsers have limited registry-level provenance information about the publisher or service behind the skill.

RecommendationInstall only if you are comfortable relying on the listed external NemoVideo API endpoint for processing.

Rogue Agents

SeverityInfoConfidenceHighStatusNote

SKILL.md

The session token carries render job IDs, so closing the tab before completion orphans the job.

Cloud render jobs may continue independently of the user's active tab. This is disclosed and expected for rendering, but users should understand that queued processing may continue after they leave.

User impactA render job may keep running on the backend even if you close the tab before it finishes.

RecommendationStart exports only when you intend the backend render to complete, and check status/download links before leaving long jobs.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Every API call needs `Authorization: Bearer <NEMO_TOKEN>`

The skill requires a bearer token for the cloud API. This credential use is expected for the stated service and the instructions say not to display token values.

User impactThe skill can act within the permissions of the NemoVideo token for video sessions, uploads, credits, state, and rendering.

RecommendationUse a token intended for this service only, and avoid sharing or reusing it for unrelated accounts.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Store the returned `session_id` for all subsequent requests.

The skill maintains backend session context across requests. This is expected for a multi-step video project, but it means project state is reused during the workflow.

User impactYour video project state can persist in the backend session while the skill continues editing, exporting, or checking status.

RecommendationAvoid placing confidential or regulated material in projects unless you trust the external service's handling of that media and session state.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

Send message (SSE): POST `/run_sse` — body `{"app_name":"nemo_agent","user_id":"me","session_id":"<sid>"...}` with `Accept: text/event-stream`.

The skill communicates with a remote `nemo_agent` backend over SSE. This is central to the service, but it is an agent/provider communication path that carries user prompts and session identifiers.

User impactPrompts and workflow state are exchanged with the external NemoVideo agent backend.

RecommendationDo not include sensitive business information in prompts or media unless that is appropriate for the external service.