Video Loop Ai
AdvisoryAudited by Static analysis on May 11, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the NemoVideo token or anonymous starter token to create sessions, upload media, check credits, and start exports.
The skill uses a provider bearer token for all backend requests. This is expected for the NemoVideo integration, but it gives the agent delegated access to the provider account/session and credits.
Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
Use only a token intended for this service, monitor credit usage, and avoid placing unrelated secrets in the NEMO_TOKEN environment variable.
Videos, images, or audio provided to the skill may leave the local/chat environment and be processed on NemoVideo cloud systems.
The workflow sends user-selected media files or URLs to the NemoVideo cloud API. This is central to the skill’s purpose, but it is still an external data transfer users should notice.
`/api/upload-video/nemo_agent/me/<sid>` | POST | Upload a file (multipart) or URL.
Do not upload private, regulated, or confidential media unless you trust the provider and its retention/privacy terms.
When invoked, the agent may change the cloud editing session, start render jobs, and produce exports based on the user’s request.
The skill directs the agent to interact with a remote editing pipeline and perform edits/exports through API calls. This is coherent with the stated cloud video-editing purpose, but it is still an operational authority to mutate a cloud project session.
| `/run_sse` | POST | Send a user message. Body includes `app_name`, `session_id`, `new_message`. Stream response with `Accept: text/event-stream`.
Review requested edits and exports before asking the agent to render or download final results, especially if credits or paid plans are involved.
Users have less independent context for verifying who operates or maintains the skill and backend service.
The registry context does not provide a source repository or homepage. There is no local code or install script in the supplied artifacts, so this is a provenance note rather than a security concern.
Source: unknown; Homepage: none
Verify that `mega-api-prod.nemovideo.ai` is the service you intend to use before sending media or credentials.
A render may continue or become hard to track if the session is interrupted.
The skill discloses that provider-side render jobs can outlive the immediate chat/tab state. This is expected for cloud rendering, but users should be aware of potential orphaned jobs or credit use.
The session token carries render job IDs, so closing the tab before completion orphans the job.
Wait for renders to complete when possible and check credit/job status if a session is closed or interrupted.