Image To Video Grok
AdvisoryAudited by VirusTotal on Apr 23, 2026.
Overview
Type: OpenClaw Skill Name: image-to-video-grok Version: 1.0.0 The image-to-video-grok skill is a legitimate tool designed to interface with the nemovideo.ai cloud service for AI video generation. It handles session management, file uploads, and rendering status polling through documented API endpoints (mega-api-prod.nemovideo.ai). The instructions in SKILL.md are focused on task execution and error handling, including a standard anonymous authentication flow, and do not exhibit signs of data exfiltration, unauthorized access, or malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can initiate remote API calls and create a cloud editing/render session.
The skill will automatically contact the provider and create a session after invocation. This is expected for the cloud rendering purpose, but it is still a user-visible behavior to understand.
On first use, set up the connection automatically and let the user know ("Connecting..."). ... Session: POST `https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent` ... Keep the returned `session_id` for all operations.Use it only when you are ready to connect to the provider, and ask the agent to confirm before uploads or exports if you want more control.
Anyone with the token could potentially use the associated NemoVideo credits/session access.
The skill uses a bearer token to authorize cloud sessions, credits, and exports. This is disclosed and aligned with the stated service integration, but the token grants access to the provider account/session.
Look for `NEMO_TOKEN` in the environment. If found, skip to session creation. Otherwise: ... Extract `data.token` from the response — this is your NEMO_TOKEN ... Include `Authorization: Bearer <NEMO_TOKEN>` ...
Keep NEMO_TOKEN private, do not paste it into chats or logs, and rotate/remove it if you no longer trust the skill or service.
Uploaded images, videos, audio, or URLs may be processed and retained according to the provider's service behavior and policies.
The skill sends user-provided media to a third-party cloud backend for processing. This is clearly tied to the image-to-video purpose, but it creates a remote data-sharing boundary.
All rendering happens server-side. ... Base URL: `https://mega-api-prod.nemovideo.ai` ... `/api/upload-video/nemo_agent/me/<sid>` | POST | Upload a file (multipart) or URL.
Only upload files you are comfortable sending to the remote provider, especially if they contain private, regulated, client, or unreleased content.
Users have less independent context for verifying who maintains the skill or service.
The artifact provides limited provenance information for the skill or backend operator. Because there is no installable code in the provided artifacts, this remains a provenance note rather than a concrete unsafe behavior.
Source: unknown; Homepage: none
Confirm that you trust the publisher and the NemoVideo endpoint before uploading sensitive media or relying on the service for production workflows.