Ai Music Video Maker
PassAudited by ClawScan on May 4, 2026.
Overview
This is a coherent cloud video-rendering skill, but it uploads your media to NemoVideo and uses a service token, so only use it with files you are comfortable sending to that service.
This skill appears benign and purpose-aligned for making cloud-rendered music videos. Before installing, understand that your media files and prompts will be uploaded to `mega-api-prod.nemovideo.ai`, and exports may consume service credits tied to the token you use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your songs, photos, prompts, and generated videos may be processed by an external service.
The skill clearly discloses that user audio and images are sent to an external cloud backend for rendering. This is purpose-aligned, but the artifacts do not describe data retention or privacy terms.
This skill connects to a cloud processing backend... You upload, describe what you want, and download the result. All calls go to `https://mega-api-prod.nemovideo.ai`.
Only upload media you are comfortable sharing with the NemoVideo backend, and check the service's privacy/retention terms if the media is sensitive.
If you use an account-linked token, the skill may access that service account's sessions and consume available credits during rendering/export.
The skill uses or creates a bearer token for the video service. That is expected for the cloud API, and the instructions say not to expose tokens, but the token may control sessions and credits.
Look for `NEMO_TOKEN` in the environment... Otherwise... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... Include `Authorization: Bearer <NEMO_TOKEN>`... on every request
Use a dedicated or revocable token when possible, monitor credit usage, and do not paste or expose the token in chat.
Backend responses may trigger session actions such as state queries or exports, which could use credits or change the current draft.
The skill instructs the agent to convert backend GUI-style messages into API actions. This is coherent with the cloud editor workflow, but it means the external backend can steer actions inside the current session.
Backend says | "click [button]"... You do | Execute via API ... "Export button" ... Execute export workflow
Ask the agent to confirm before exporting or spending credits if you want tighter control over the workflow.
You have less independent information to verify who operates the service before sending media or using credits.
The registry metadata provides limited provenance for the skill and its cloud service. There is no local install code, so this is a provenance note rather than evidence of malicious behavior.
Source: unknown; Homepage: none
Use with non-sensitive media first, and prefer a documented vendor page or terms of service before relying on it for private or commercial content.