Video On Canva
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears able to create videos, but its Canva-branded name sends files and prompts to a NemoVideo cloud API, so users should review the provider before uploading media.
Before installing, confirm you are comfortable using NemoVideo as the backend service, not necessarily Canva. Do not upload confidential or customer media unless you have reviewed the provider’s privacy and retention terms, and use a dedicated NEMO_TOKEN if you connect an account.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe they are using a Canva-related workflow while their media and prompts are actually processed by a different cloud service.
The skill is presented with Canva branding, but the documented API base and token/session names point to NemoVideo rather than Canva.
displayName: "Video on Canva — Create and Export Polished Videos" ... **API base**: `https://mega-api-prod.nemovideo.ai`
Treat this as an unofficial third-party video service unless the publisher clearly documents the relationship to Canva and the NemoVideo data handling terms.
Images, videos, URLs, and generation prompts may leave the chat environment and be processed by NemoVideo’s cloud service.
The skill sends user-provided media or URLs to an external provider API for processing. That is expected for cloud rendering, but the provider boundary is materially important because the skill is branded as Canva.
Drop your images or clips in the chat ... **API base**: `https://mega-api-prod.nemovideo.ai` ... **Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Upload only media you are comfortable sending to NemoVideo, and verify provider privacy/retention terms before using sensitive customer, brand, or personal files.
The skill can act against the NemoVideo service using the configured or generated token, potentially consuming service credits or creating render sessions.
The skill uses or creates a bearer token for the external rendering service. This is purpose-aligned and the artifact says not to print tokens, but it is still account/session authority.
**Token**: If `NEMO_TOKEN` environment variable is already set, use it ... **Free token**: Generate a UUID ... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
Use a dedicated token for this skill, avoid sharing unrelated credentials, and check credit usage if connecting a paid account.
Invoking the skill may start external sessions and long-running cloud rendering activity.
The skill directs the agent to make automatic network calls, open an SSE generation request, and poll render status. These are expected for the stated video workflow but should not be mistaken for purely local processing.
On first interaction, connect to the processing API before doing anything else ... **Send message (SSE)**: POST `/run_sse` ... Max timeout: 15 minutes ... Poll GET `/api/render/proxy/lambda/<id>` every 30s
Use it only when you intend to connect to the external renderer, and confirm before uploading or exporting sensitive files.