Online Add Music
PassAudited by ClawScan on May 4, 2026.
Overview
This skill appears purpose-aligned for cloud video editing, but it uploads media to nemovideo.ai and uses a service token, so use it only with files you are comfortable sending to that provider.
Before installing, confirm you are comfortable sending your video/audio files to nemovideo.ai, keep the NEMO_TOKEN private, and supervise exports or credit-consuming render jobs. The artifacts do not show malicious behavior, but the service provenance is limited.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private videos, audio, images, and edit prompts may leave the local environment and be processed by the NemoVideo cloud service.
The skill explicitly sends uploaded media or media URLs to an external provider for processing.
All calls go to `https://mega-api-prod.nemovideo.ai` ... **Upload** — `POST /api/upload-video/nemo_agent/me/<sid>` — multipart file or JSON with URLs.
Only upload media you are comfortable sharing with that service, and review the provider’s privacy and retention practices if the content is sensitive.
Anyone with the token could potentially use the associated NemoVideo session or credits until the token expires or is revoked.
The skill uses or obtains a bearer token to authorize service calls, which is expected for the cloud backend but still creates delegated account/credit authority.
Token check: Look for `NEMO_TOKEN` ... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
Keep NEMO_TOKEN private, avoid pasting it into chats or logs, and use a dedicated/limited token where possible.
The skill may perform additional edit/export/status API calls based on backend responses, which could consume credits or create render jobs.
The agent is instructed to convert backend responses into follow-up API operations; this is coherent for a GUI-backed editing service but means the remote service can influence scoped actions.
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
Review requested exports and credit-consuming operations, especially for long or large files.
Users have less external context for deciding whether to trust the skill and its cloud backend.
The artifacts provide no upstream source or homepage to independently verify the skill publisher or service provenance.
Source: unknown; Homepage: none
Install only if you are comfortable with the listed provider domain and the visible instructions; prefer a skill with a verifiable source or homepage for sensitive work.