Text To Video Ollama
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill advertises local/Ollama privacy-friendly video generation, but its instructions actually auto-connect to a NemoVideo cloud API and can send user prompts or files there.
Review carefully before installing. If you use it, assume prompts and uploaded files are sent to NemoVideo cloud services, not processed locally by Ollama. Do not upload sensitive documents unless you are comfortable with that provider handling them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe their video prompts or documents stay local when they are actually sent to an external cloud service.
The artifact claims local/Ollama and privacy-preserving operation while also instructing the agent to use a cloud GPU provider API. That contradiction can mislead users into sharing prompts or files under the wrong privacy assumption.
displayName: "Text to Video Ollama — Generate Videos from Text Locally" ... "create videos from text locally without cloud API costs or data privacy concerns" ... "I'll handle the AI video generation on cloud GPUs" ... "API base: `https://mega-api-prod.nemovideo.ai`"
Revise the skill description to clearly say it uses NemoVideo cloud services, remove the local/Ollama and no-privacy-concern claims, and require clear user consent before cloud processing.
Documents or media selected for the skill may leave the local environment and be processed by a third-party service.
The skill can send user-provided files to a third-party provider endpoint. File upload is purpose-aligned for a video-generation service, but the surrounding local/privacy claims make the data boundary unclear to users.
"Upload TXT, DOCX, PDF, plain text files up to 500MB" ... "**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`"
Clearly disclose what data is uploaded, where it is sent, and any retention/privacy terms before accepting files or prompts.
The skill will use a service token to create sessions, check credits, and render/export videos through NemoVideo.
The skill requires or obtains a NemoVideo bearer token and uses it for provider requests. This is expected for the stated service integration, but it is still credentialed access users should notice.
"Authentication: Check if `NEMO_TOKEN` is set" ... "POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`" ... "Include `Authorization: Bearer <NEMO_TOKEN>`"
Use a dedicated low-privilege token, avoid sharing token values, and make the token requirement explicit in registry metadata and user-facing setup text.
The skill may create a remote session before the user explicitly starts a generation job.
The agent is instructed to make automatic network setup calls when the skill opens. This is related to the service workflow, but users should be aware that opening the skill can contact the backend.
"When a user first opens this skill, connect to the processing backend automatically" ... "Create a session: POST to `https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent`"
Announce the backend connection clearly and preferably ask for confirmation before first contacting the remote service.