Image To Video Imagemover
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is a coherent cloud image-to-video connector, but users should understand that their media and prompts are sent to NemoVideo’s remote API using a token.
This appears safe for its stated purpose if you are comfortable using a cloud renderer. Before installing, understand that files you provide will be uploaded to NemoVideo’s API, a token will be used or generated, and the rendered project may continue briefly on the provider’s servers even if you close the session.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your NemoVideo token or generate an anonymous token to create sessions and render videos under that account/session.
The skill uses a bearer token to authenticate to the NemoVideo API. This is expected for the service integration, and the artifact also says not to print tokens, but it is still credential-bearing access.
If `NEMO_TOKEN` environment variable is already set, use it... Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
Use a dedicated token where possible, avoid sharing the token, and monitor any credits or usage associated with the account.
Private or sensitive images, audio, URLs, and prompts could be transmitted to NemoVideo’s servers for processing.
The skill sends user-selected files or URLs to an external cloud API for rendering. That is central to the stated purpose, but it means media content is shared with the provider.
**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Only upload files you are comfortable sending to the external rendering provider, and review the provider’s privacy/retention terms if the media is sensitive.
The remote service may cause the agent to perform workflow steps such as edits, state queries, or export actions within the video project.
The skill instructs the agent to translate backend GUI-style messages into API actions. This is part of the intended cloud workflow, but it gives backend responses operational influence over the session.
Backend says "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
Confirm requested edits and exports make sense, especially if the output or credit usage matters.
It may be harder to independently verify who maintains the integration or where support/privacy information is hosted.
The artifact provides limited provenance information for the skill, although there is no local code or install mechanism to analyze.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Prefer using this with non-sensitive media unless you can verify the provider and account/token source.