With Music Free
AdvisoryAudited by Static analysis on May 3, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Videos, prompts, and generated media state may be processed by nemovideo.ai rather than staying on the user's device.
The skill sends user-provided media files to a third-party cloud API for processing, which is central to its purpose but means private videos leave the local environment.
**API base**: `https://mega-api-prod.nemovideo.ai` ... **Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`
Only upload media you are comfortable sending to this cloud service, and review the provider's privacy and retention practices if the videos are sensitive.
The agent can authenticate to the video backend as the user's anonymous or configured session.
The skill uses a bearer token for backend access and can create an anonymous token if one is not already present. This is expected for the service but creates delegated access to the cloud account/session.
Look for `NEMO_TOKEN` in the environment... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... Include `Authorization: Bearer <NEMO_TOKEN>`
Treat NEMO_TOKEN like a credential, avoid exposing it, and revoke or rotate it if you suspect it was shared.
Using the skill may automatically create backend sessions and perform video-processing API calls based on the user's request.
The skill instructs the agent to automatically create a session and map prompts to upload, edit, status, credits, and export API calls. This is disclosed and purpose-aligned, but users should understand that invocation can trigger remote actions.
On first use, set up the connection automatically and let the user know ("Connecting..."). ... User prompts ... get routed to the corresponding actionConfirm uploads and exports are intended, especially for large or sensitive media files.
Users have less provenance information for judging who operates the backend and how it handles uploaded media.
There is no local package to inspect and no declared homepage/source provenance for the remote-service integration. This is not evidence of malicious behavior, but it limits independent verification.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Prefer using this with non-sensitive media unless you can verify the service operator and terms through another trusted channel.