Byted Mediakit Voiceover
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s behavior matches its advertised cloud voiceover purpose, but it will send chosen media and prompts to a NemoVideo API using a bearer token.
This appears acceptable if you are comfortable with cloud processing. Before installing, confirm you are allowed to upload the relevant media kit assets to mega-api-prod.nemovideo.ai, protect any NEMO_TOKEN you use, and avoid sending confidential client or unreleased marketing materials unless the provider is approved for that data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your media kit assets and related prompt text may be processed on the remote NemoVideo service.
The skill sends user-selected media files or URLs to a third-party backend for processing.
**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Only upload media you are allowed to send to that service; avoid confidential client material unless this provider is approved.
The token can authorize work against the NemoVideo backend and may be tied to credits or session state.
The skill uses a bearer credential or creates an anonymous service token to authorize backend sessions.
Every API call needs `Authorization: Bearer <NEMO_TOKEN>` ... If `NEMO_TOKEN` is in the environment, use it directly ... Otherwise, acquire a free starter token
Treat NEMO_TOKEN as a credential, do not share it, and revoke or rotate it if you suspect misuse.
After you invoke the skill, it may continue remote workflow steps needed to complete the render/export without explaining every API call.
The skill translates some backend responses into follow-on API actions such as exporting, querying state, or sending edits.
| "Export button" / "导出" | Execute export workflow |
Use clear prompts, review the returned output before sharing it, and avoid invoking export/download actions unless you intend them.
It may be harder to verify who operates the skill or review its update history before sending media to its backend.
The registry metadata does not provide a public source or homepage for independent publisher verification.
Source: unknown; Homepage: none
Prefer installing only if you trust the publisher/service and are comfortable with the NemoVideo API endpoint shown in the skill instructions.