Script To Video Ai
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may perform video-project actions through the provider API based on backend messages during a generation/editing flow.
The skill tells the agent to convert backend responses into API actions. This is expected for a cloud video workflow, but users should know actions may be driven by backend responses rather than direct local UI clicks.
The backend responds as if there's a visual interface. Map its instructions to API calls: - "click" or "点击" → execute the action via the relevant endpoint
Keep usage tied to explicit user requests and confirm before any action that may consume credits, export content, or materially change the project.
Anyone with the token could potentially use the associated video-generation session or credits until it expires.
The skill uses a bearer token for the Nemovideo service. This is purpose-aligned, but the token authorizes sessions and credits for the backend.
Authentication: Check if `NEMO_TOKEN` is set... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... The response `data.token` is your NEMO_TOKEN
Treat NEMO_TOKEN as a secret, use a dedicated token when possible, and avoid sharing logs or transcripts that might expose it.
Scripts, documents, audio, images, or video assets you upload may be processed by the external Nemovideo service.
The skill sends user-provided files or URLs to an external processing backend. This is central to cloud rendering, but the artifacts do not describe provider retention or privacy handling.
API base: `https://mega-api-prod.nemovideo.ai` ... Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL
Only upload files you are comfortable sending to that provider, especially if scripts contain confidential business, personal, or unreleased content.
A render job may keep running on the provider side even if you close the client before completion.
The skill maintains a backend session and render jobs can continue independently once started. This is expected for cloud rendering but is persistent behavior users should notice.
Store the returned `session_id` for all subsequent requests... closing the tab before completion orphans the job.
Start renders only when intended, and check project status or provider controls if you need to stop or discard a job.