Online Add Music
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: online-add-music Version: 1.0.0 The skill is a functional wrapper for a cloud-based video editing service (nemovideo.ai). It manages authentication via an anonymous token exchange, handles file uploads, and processes video rendering through a series of standard API calls to mega-api-prod.nemovideo.ai. The instructions in SKILL.md are well-defined, focusing on session management, error handling, and translating backend responses for the user. There is no evidence of data exfiltration, malicious command execution, or harmful prompt injection; all network and file activities are strictly aligned with the stated purpose of adding music to video files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private videos, audio, images, and edit prompts may leave the local environment and be processed by the NemoVideo cloud service.
The skill explicitly sends uploaded media or media URLs to an external provider for processing.
All calls go to `https://mega-api-prod.nemovideo.ai` ... **Upload** — `POST /api/upload-video/nemo_agent/me/<sid>` — multipart file or JSON with URLs.
Only upload media you are comfortable sharing with that service, and review the provider’s privacy and retention practices if the content is sensitive.
Anyone with the token could potentially use the associated NemoVideo session or credits until the token expires or is revoked.
The skill uses or obtains a bearer token to authorize service calls, which is expected for the cloud backend but still creates delegated account/credit authority.
Token check: Look for `NEMO_TOKEN` ... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
Keep NEMO_TOKEN private, avoid pasting it into chats or logs, and use a dedicated/limited token where possible.
The skill may perform additional edit/export/status API calls based on backend responses, which could consume credits or create render jobs.
The agent is instructed to convert backend responses into follow-up API operations; this is coherent for a GUI-backed editing service but means the remote service can influence scoped actions.
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
Review requested exports and credit-consuming operations, especially for long or large files.
Users have less external context for deciding whether to trust the skill and its cloud backend.
The artifacts provide no upstream source or homepage to independently verify the skill publisher or service provenance.
Source: unknown; Homepage: none
Install only if you are comfortable with the listed provider domain and the visible instructions; prefer a skill with a verifiable source or homepage for sensitive work.