Video Ai No
AdvisoryAudited by Static analysis on May 4, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can create and use a NemoVideo session and credits on the user's behalf.
The skill uses or creates a bearer token for the NemoVideo service. This is expected for the cloud backend, but it gives the agent authority to act in that service session.
Look for `NEMO_TOKEN` in the environment... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... Extract `data.token` from the response — this is your NEMO_TOKEN
Use this only if you trust the NemoVideo backend, keep NEMO_TOKEN private, and revoke or rotate the token if you no longer want the skill to use the service.
Private or unreleased videos uploaded through the skill will be processed by the external NemoVideo service.
The skill sends user-provided media and editing prompts to an external cloud API for processing. This is disclosed and central to the purpose, but it involves sensitive user content leaving the local environment.
This skill connects to a cloud processing backend... Upload — `POST /api/upload-video/nemo_agent/me/<sid>`... All rendering happens server-side.
Avoid uploading sensitive footage unless you are comfortable with the provider's handling of the data; check any available privacy or retention terms before use.
The agent may continue editing or exporting based on the service's responses, potentially consuming service credits or creating rendered outputs.
The skill tells the agent to turn backend responses into follow-up API actions. This is useful for a GUI-less video workflow, but it means some state-changing or credit-related operations may be driven by the backend flow rather than a fresh user confirmation.
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
Review export and credit-related steps carefully; developers should consider adding explicit confirmation before credit-consuming exports.
Users have less context for verifying who operates the backend or how uploaded media is handled.
The registry metadata does not provide a source repository or homepage, limiting provenance information for a skill that relies on a remote cloud service.
Source: unknown; Homepage: none
Prefer installing only if you trust the publisher and can verify the service's terms, privacy posture, and support channel.