Flow Ai Video
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent cloud video-editing skill, but using it sends chosen media and edit prompts to NemoVideo and relies on a Nemo token/session.
Before installing, be comfortable with sending chosen videos and editing instructions to NemoVideo's cloud service and with the skill using or creating a NemoVideo token. No local code execution or malicious behavior is evidenced in the provided artifacts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can trigger cloud API calls, session creation, rendering, and polling without separate manual steps after the user invokes the workflow.
The skill directs the agent to initiate backend setup and API workflows automatically during use. This is expected for a cloud rendering integration, but users should know API actions can occur as part of normal operation.
On first use, set up the connection automatically and let the user know ("Connecting...").Use it only when you intend to send footage to the NemoVideo service, and review rendered outputs before publishing or sharing them.
The token can authorize NemoVideo sessions, credits, uploads, and renders, so it should be treated as a service credential.
The skill uses a NemoVideo bearer token or obtains an anonymous one for the service. This credential use is disclosed and aligned with the cloud editing purpose.
Look for `NEMO_TOKEN` in the environment. If found, skip to session creation. Otherwise: ... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... Extract `data.token`
Keep NEMO_TOKEN private, use a dedicated token if possible, and revoke or rotate it if you no longer trust the integration.
Any uploaded footage, URLs, edit prompts, and related session state may be processed by the external NemoVideo service.
The skill sends user-selected video files or URLs to the external NemoVideo backend for processing. This is central to the skill's purpose, but it is a sensitive data flow.
**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Do not upload confidential, private, or regulated media unless you are comfortable with NemoVideo processing it under its service terms.