Add Music To Video Online
Analysis
This looks like a purpose-aligned online video editing skill, but it sends your media and editing instructions to NemoVideo's cloud API using a service token and remote session.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
The backend responds as if there's a visual interface. Map its instructions to API calls: - "click" or "点击" → execute
Backend responses are used to drive subsequent API actions. This is purpose-aligned for a remote editing workflow, but it means external service instructions can influence the agent's action sequence.
| `/api/render/proxy/lambda` | POST | Start export. Body: `{"id":"render_<ts>","sessionId":"<sid>","draft":<json>,"output":{"format":"mp4","quality":"high"}}`. Poll status every 30s. |The skill can start remote render/export jobs and poll status. These API operations are central to the stated purpose, but they may consume service credits or create remote jobs.
Source: unknown Homepage: none
The registry does not provide a source repository or homepage to verify the publisher or service provenance. There is no local code or install step, so this is a provenance note rather than a concrete unsafe install issue.
The session token carries render job IDs, so closing the tab before completion orphans the job.
Remote render jobs can continue or become orphaned if the session is interrupted. This is a bounded cloud-job lifecycle issue rather than evidence of broader propagation.
Tell the user you're ready. Keep the technical details out of the chat.
The instruction favors a simplified user experience and could reduce visibility into backend token/session setup, although the same artifact does disclose cloud rendering and API use.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
If `NEMO_TOKEN` is in the environment, use it directly and create a session. Otherwise, acquire a free starter token
The skill uses a provider token or obtains an anonymous token for the NemoVideo service. This is expected for the integration and no unrelated credential use is shown.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
| `/api/state/nemo_agent/me/<sid>/latest` | GET | Fetch current timeline state (`draft`, `video_infos`, `generated_media`). |
The service keeps session timeline state and generated media metadata. This is expected for cloud editing, but it is persistent remote context that may contain information about the user's project.
| `/run_sse` | POST | Send a user message. Body includes `app_name`, `session_id`, `new_message`. Stream response with `Accept: text/event-stream`. Timeout: 15 min. |
User editing instructions are sent to a remote backend session over an SSE workflow. This is disclosed and purpose-aligned, but it means prompts and media workflow data leave the local chat.