Km Video Zero
AdvisoryAudited by Static analysis on May 4, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your raw footage, descriptions, and project state may be processed by the NemoVideo cloud service.
The skill sends user prompts and uploaded media files to a third-party cloud backend. This is expected for cloud rendering, but it means potentially private video/audio/image content leaves the local environment.
This skill connects to a cloud processing backend... **Send message (SSE)**: POST `/run_sse`... **Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`
Use only footage you are comfortable uploading to the cloud, and review the provider’s privacy/retention terms if the content is sensitive.
The agent will authenticate to the video backend using a token tied to the session or account credits.
The skill uses or creates a bearer token for the cloud service. This is purpose-aligned, and the instructions say not to expose tokens, but it is still credential handling.
Look for `NEMO_TOKEN` in the environment... Otherwise: ... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... Extract `data.token` from the response — this is your NEMO_TOKEN
Keep NEMO_TOKEN private, avoid sharing logs that may contain headers, and revoke or rotate the token if it is exposed.
A backend response can cause the agent to run follow-up actions such as querying state or exporting within the video service.
The skill tells the agent to translate backend text responses into API actions. This is part of the intended GUI-to-API workflow, but it means remote backend messages can steer the agent’s next service action.
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
For important exports or edits, review the agent’s summary before relying on the result, and avoid treating backend-generated instructions as user approval for unrelated actions.
It may be harder to verify who operates the backend or where to find support/privacy documentation.
The skill has no local executable install step, but its source and homepage are not identified, limiting provenance checks for a cloud service that receives user media.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify that `mega-api-prod.nemovideo.ai` is the service you intend to use before uploading sensitive content.