Karaoke Video
PassAudited by ClawScan on May 11, 2026.
Overview
This appears to be a disclosed cloud karaoke-video rendering integration that uploads user-selected media to NemoVideo and uses an API token, with no artifact-backed malicious behavior.
Before installing, be comfortable with uploading your media to NemoVideo's cloud service and with the skill using NEMO_TOKEN or an anonymous token for API calls and credits. For private songs, unreleased videos, or client material, review the provider's privacy and retention practices first.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Audio, video, images, and edit prompts you provide may be uploaded to NemoVideo's servers for processing.
The skill explicitly sends user media to an external cloud rendering service. This is expected for the stated purpose, but it creates a privacy/data-boundary consideration.
Upload MP4, MOV, AVI, WAV files up to 500MB... All rendering happens server-side.
Only use media you are comfortable sending to the provider, and check the provider's terms or retention policy if the content is private or sensitive.
The skill can consume credits or operate under the NemoVideo token available to the agent.
The skill uses a bearer token or automatically acquired anonymous token to access the NemoVideo API and credits. This is coherent with the integration, but it is account/credit-bearing authority.
Every API call needs `Authorization: Bearer <NEMO_TOKEN>`... acquire a free starter token
Use a dedicated token where possible, monitor credit usage, and avoid sharing a higher-privilege token than needed.
Editing, state, upload, or export calls may happen as part of the remote workflow rather than being shown as separate manual steps.
Provider responses can cause the agent to perform additional API actions inside the video editing workflow. The scope appears limited to the disclosed NemoVideo endpoints, but users should be aware that actions may be driven by backend instructions.
The backend responds as if there's a visual interface. Map its instructions to API calls: "click"... execute the action via the relevant endpoint
Give clear instructions and confirm before exports or credit-consuming operations if the result matters.