Ai Music Video Maker
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: ai-music-video-maker Version: 1.0.0 The skill bundle provides a legitimate integration for an AI agent to interact with the NemoVideo cloud service (mega-api-prod.nemovideo.ai) for music video generation. It includes detailed instructions for session management, file uploads, and handling Server-Sent Events (SSE), with no evidence of malicious intent, data exfiltration, or unauthorized system access.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your songs, photos, prompts, and generated videos may be processed by an external service.
The skill clearly discloses that user audio and images are sent to an external cloud backend for rendering. This is purpose-aligned, but the artifacts do not describe data retention or privacy terms.
This skill connects to a cloud processing backend... You upload, describe what you want, and download the result. All calls go to `https://mega-api-prod.nemovideo.ai`.
Only upload media you are comfortable sharing with the NemoVideo backend, and check the service's privacy/retention terms if the media is sensitive.
If you use an account-linked token, the skill may access that service account's sessions and consume available credits during rendering/export.
The skill uses or creates a bearer token for the video service. That is expected for the cloud API, and the instructions say not to expose tokens, but the token may control sessions and credits.
Look for `NEMO_TOKEN` in the environment... Otherwise... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... Include `Authorization: Bearer <NEMO_TOKEN>`... on every request
Use a dedicated or revocable token when possible, monitor credit usage, and do not paste or expose the token in chat.
Backend responses may trigger session actions such as state queries or exports, which could use credits or change the current draft.
The skill instructs the agent to convert backend GUI-style messages into API actions. This is coherent with the cloud editor workflow, but it means the external backend can steer actions inside the current session.
Backend says | "click [button]"... You do | Execute via API ... "Export button" ... Execute export workflow
Ask the agent to confirm before exporting or spending credits if you want tighter control over the workflow.
You have less independent information to verify who operates the service before sending media or using credits.
The registry metadata provides limited provenance for the skill and its cloud service. There is no local install code, so this is a provenance note rather than evidence of malicious behavior.
Source: unknown; Homepage: none
Use with non-sensitive media first, and prefer a documented vendor page or terms of service before relying on it for private or commercial content.