Fliz Ai Video
PassAudited by ClawScan on May 11, 2026.
Overview
This appears to be a purpose-aligned remote AI video-editing skill, but users should know it sends selected media and token-backed requests to nemovideo.ai.
This skill is reasonable to use if you are comfortable sending your chosen video, image, or audio files to nemovideo.ai for cloud rendering. Protect your NEMO_TOKEN, start with non-sensitive media, and ask the agent to describe its API actions if you want more visibility.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill should protect the NEMO_TOKEN because it authorizes requests to the provider account or starter token balance.
The skill uses a bearer token for the remote video-editing API. This is expected for the service, but the token can authorize actions and consume credits.
Include `Authorization: Bearer <NEMO_TOKEN>` ... on every request
Use a dedicated token if possible, avoid sharing it in chat, and rotate or revoke it if it may have been exposed.
Videos, images, audio, and related prompts may be transmitted to nemovideo.ai for rendering.
The skill’s core workflow sends user media to a remote provider for processing. This is disclosed and purpose-aligned, but media files can contain sensitive personal or business information.
Upload MP4, MOV, AVI, WebM files up to 500MB ... All rendering happens server-side.
Only upload files you are comfortable sending to the provider, and review the provider’s privacy terms before using sensitive footage.
Users may not see every connection, token, session, or internal tool step unless they ask.
The skill tells the agent not to show technical API details during normal use. The backend behavior is documented in the artifact, so this is a transparency note rather than evidence of deception.
Tell the user you're ready. Keep the technical details out of the chat.
Ask the agent to explain what it is sending and which API action it is taking if you want more transparency.
It may be harder to independently verify who operates the skill and backend service before sending media or credentials.
The package has limited provenance information. There is no install code in the provided artifacts, but the skill depends on a remote API service.
Source: unknown; Homepage: none
Verify the provider/domain and use non-sensitive test media before relying on the skill for private or business content.