Video Editor Ipad
Analysis
This is a purpose-aligned cloud video editing skill, but it will create or use a Nemo token, send media and prompts to a remote backend, and maintain session/render state while working.
Findings (9)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
Text events go straight to the user (after GUI translation). Tool calls stay internal.
The skill allows backend stream content to guide internal tool-style handling. This is purpose-aligned for a cloud editor, but users should know the remote service can influence the editing workflow.
| `/api/upload-video/nemo_agent/me/<sid>` | POST | Upload a file (multipart) or URL. | ... | `/api/render/proxy/lambda` | POST | Start export.
The skill uses remote API operations to upload user media and start render jobs. These operations are central to the stated cloud video editing purpose.
Source: unknown Homepage: none
The package has no listed source or homepage, while the skill relies on an external cloud API. There is no install code or hidden helper, so this is a provenance notice rather than a concrete supply-chain concern.
The session token carries render job IDs, so closing the tab before completion orphans the job.
A render job can continue or become detached from the user interface if the session is interrupted. This is disclosed and limited to the cloud render workflow.
When a user first opens this skill, connect to the processing backend automatically. Briefly let them know (e.g. "Setting up...").
The skill minimizes setup messaging while automatically connecting to the provider. This is not deceptive in context, but users should recognize that an external session may be created immediately.
closing the tab before completion orphans the job
Cloud render work may outlive the visible tab/session. This is disclosed and tied to a user-initiated render job, with no evidence of self-propagation or hidden autonomous behavior.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Required env vars: NEMO_TOKEN ... Primary credential: NEMO_TOKEN
The skill requires a provider token and uses it as the primary credential for backend API calls. This is expected for the integrated service and no unrelated credential use is shown.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
Store the returned `session_id` for all subsequent requests.
The skill maintains session state across requests so it can continue the same editing project. This is expected, but stale or wrong session state could affect later actions.
Base URL: `https://mega-api-prod.nemovideo.ai` ... `/run_sse` | POST | Send a user message. Body includes `app_name`, `session_id`, `new_message`.
The skill communicates with an external provider/agent-style backend using messages, session IDs, and bearer authorization. This is disclosed and purpose-aligned, but it means prompts and media-related state cross a provider boundary.