Video Editor Ai Name
Analysis
This appears to be a cloud video-editing skill that uses the advertised NemoVideo API; no malicious behavior is evident, but uploaded media and the service token should be treated as sensitive.
Findings (9)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
The backend assumes a GUI exists. Translate these into API actions ... click [button] -> Execute via API ... Export button -> Execute export workflow
The skill lets backend responses drive follow-up API actions. This is purpose-aligned for adapting a GUI-oriented backend to chat, but users should know the provider workflow can influence what the agent does next.
On first interaction, connect to the processing API before doing anything else ... Upload: POST /api/upload-video/nemo_agent/me/<sid> ... Export: POST /api/render/proxy/lambda
The skill performs external API setup, upload, and export operations. These are normal for a cloud video editor and are disclosed, but they are still actions users should expect.
Source: unknown; Homepage: none
The registry metadata does not provide a public source or homepage for provenance review. There is no local install package risk, but users have limited maintainer/provider context from the artifacts.
Each export job queues on a cloud GPU node ... closing the tab before completion orphans the job
A single export action can create a remote render job that may continue or become orphaned if the session is interrupted. This is disclosed and aligned with cloud rendering.
Free token ... 100 credits, 7-day expiry ... Export (free, no credits) ... Register or upgrade your plan to unlock export
The instructions include both free-token/free-export language and possible registration or upgrade requirements. This is explained in the error handling section, but users should not assume all use is permanently free.
closing the tab before completion orphans the job
The provider-side render job may continue or remain orphaned after the local interaction ends. This is disclosed and tied to a user-triggered export, not hidden autonomous behavior.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
If NEMO_TOKEN environment variable is already set, use it ... Every API call needs Authorization: Bearer <NEMO_TOKEN>
The skill uses a service token for NemoVideo API authentication. This is expected for the integration and the instructions say not to print tokens.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
Save session_id from the response ... Session state: GET /api/state/nemo_agent/me/<sid>/latest — key fields: data.state.draft, data.state.video_infos, data.state.generated_media
The skill keeps and reuses remote session state, drafts, and generated media information. This is necessary for editing/export, but prior session context may affect later actions in the same project.
API base: https://mega-api-prod.nemovideo.ai ... Send message (SSE): POST /run_sse ... Upload: POST /api/upload-video/nemo_agent/me/<sid>
The skill sends prompts, files, URLs, and session data to an external provider over documented API and SSE flows. The endpoint and bearer authentication are disclosed, but user media leaves the local environment.