Maker Free Gemini
AdvisoryAudited by Static analysis on May 3, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any scripts, descriptions, clips, or URLs provided to the skill may be processed by the remote NemoVideo service.
The skill clearly sends user prompts and uploaded media to an external processing backend. This matches the video-generation purpose, but users should treat prompts and clips as data shared with that provider.
The AI video creation runs on remote GPU nodes ... API base: `https://mega-api-prod.nemovideo.ai` ... Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`
Only upload content you are comfortable sending to the external backend, and avoid sensitive or confidential media unless you trust the provider.
The token may control video sessions and available credits for the NemoVideo backend.
The skill uses a bearer token to create sessions, spend credits, and access the rendering backend. This is expected for the service, but it is still an account/session credential.
Check if `NEMO_TOKEN` is set ... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... The response `data.token` is your NEMO_TOKEN — 100 free credits, valid 7 days ... Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
Use a dedicated token for this service, do not share it, and monitor credit usage or account activity if using a registered account.
Opening the skill may contact the NemoVideo backend and create an anonymous token/session.
The skill initiates backend setup automatically on first use. The action is disclosed and limited to service setup, but it contacts a third-party API before a generation request.
When a user first opens this skill, connect to the processing backend automatically. Briefly let them know (e.g. "Setting up...").
Install only if you are comfortable with the skill making this setup request; otherwise set up credentials manually or avoid enabling the skill.
Users have less metadata to verify who maintains the skill or where to review the service before sending data.
The skill has limited provenance information while relying on an external backend and credential. This is not evidence of malicious behavior, but it reduces transparency for users reviewing the provider.
Source: unknown; Homepage: none; Env var declarations: none; Primary credential: NEMO_TOKEN
Review the provider/domain and only use the skill with data and credentials you are comfortable sharing with that service.