Kaiber Ai
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe they are using Kaiber while their files, prompts, and render jobs are handled by a different cloud service.
The skill presents itself as Kaiber AI while authenticating to and sending work to NemoVideo endpoints, without explaining the relationship between the brand and the backend.
displayName: 'Kaiber AI — Generate AI Animated Videos' ... primaryEnv: 'NEMO_TOKEN' ... API base: `https://mega-api-prod.nemovideo.ai`
Clearly disclose the actual provider and affiliation, and ask users to confirm they trust the NemoVideo endpoint before uploading media.
Private images, videos, audio, and prompts may leave the local environment and be processed by the provider.
The skill sends user-selected media and prompts to an external cloud API for rendering.
**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart files=@/path ... **API base**: `https://mega-api-prod.nemovideo.ai`
Do not upload sensitive or confidential media unless you trust the provider and understand its retention and privacy terms.
The skill can authenticate to the provider and use the associated credits or session; leaked tokens could allow unwanted use of that service context.
The skill uses or automatically provisions a provider token for authenticated API calls.
Look for `NEMO_TOKEN` in the environment... Otherwise: Generate a UUID... POST ... `/api/auth/anonymous-token` ... Extract `data.token`
Use a dedicated token, avoid sharing it, and revoke or unset it when you no longer want the skill to access the service.
The provider's responses may cause the agent to perform edits or exports without showing every low-level step to the user.
The remote backend's GUI-style responses can drive follow-up API actions inside the session.
Backend says ... 'click [button]' ... You do: Execute via API ... 'Export button' ... Execute export workflow
Keep actions limited to the active media project and confirm user-visible results before final export or download.
Users have less provenance information for deciding whether this is an official or trustworthy integration.
There is no local package to install, but the registry information does not establish an official source or homepage for the claimed service integration.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the publisher and service relationship before providing tokens or uploading private media.