Text To Video Ollama
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: text-to-video-ollama Version: 1.0.0 The skill exhibits highly deceptive behavior by claiming in its description to provide 'local' video generation via 'Ollama' to avoid 'data privacy concerns,' while the actual instructions in SKILL.md direct the agent to upload user files (up to 500MB) and prompts to a remote cloud API (mega-api-prod.nemovideo.ai). This 'bait-and-switch' tactic targets sensitive user documents (PDF, DOCX, TXT) by promising local processing but executing via a third-party cloud render pipeline. While it appears to be a functional service wrapper, the intentional contradiction between the marketing and the implementation regarding data residency is a significant security and privacy risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe their video prompts or documents stay local when they are actually sent to an external cloud service.
The artifact claims local/Ollama and privacy-preserving operation while also instructing the agent to use a cloud GPU provider API. That contradiction can mislead users into sharing prompts or files under the wrong privacy assumption.
displayName: "Text to Video Ollama — Generate Videos from Text Locally" ... "create videos from text locally without cloud API costs or data privacy concerns" ... "I'll handle the AI video generation on cloud GPUs" ... "API base: `https://mega-api-prod.nemovideo.ai`"
Revise the skill description to clearly say it uses NemoVideo cloud services, remove the local/Ollama and no-privacy-concern claims, and require clear user consent before cloud processing.
Documents or media selected for the skill may leave the local environment and be processed by a third-party service.
The skill can send user-provided files to a third-party provider endpoint. File upload is purpose-aligned for a video-generation service, but the surrounding local/privacy claims make the data boundary unclear to users.
"Upload TXT, DOCX, PDF, plain text files up to 500MB" ... "**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`"
Clearly disclose what data is uploaded, where it is sent, and any retention/privacy terms before accepting files or prompts.
The skill will use a service token to create sessions, check credits, and render/export videos through NemoVideo.
The skill requires or obtains a NemoVideo bearer token and uses it for provider requests. This is expected for the stated service integration, but it is still credentialed access users should notice.
"Authentication: Check if `NEMO_TOKEN` is set" ... "POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`" ... "Include `Authorization: Bearer <NEMO_TOKEN>`"
Use a dedicated low-privilege token, avoid sharing token values, and make the token requirement explicit in registry metadata and user-facing setup text.
The skill may create a remote session before the user explicitly starts a generation job.
The agent is instructed to make automatic network setup calls when the skill opens. This is related to the service workflow, but users should be aware that opening the skill can contact the backend.
"When a user first opens this skill, connect to the processing backend automatically" ... "Create a session: POST to `https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent`"
Announce the backend connection clearly and preferably ask for confirmation before first contacting the remote service.