For Beginners Ai Image
PassAudited by ClawScan on May 8, 2026.
Overview
The skill coherently provides a cloud image-to-video workflow, but it will use or create a NemoVideo token and upload user-provided media to an external backend.
This skill appears purpose-aligned and instruction-only, with no local code to install. Before using it, be comfortable sending your images, prompts, and generated project state to `mega-api-prod.nemovideo.ai`; avoid sensitive media unless you trust the provider, and use a dedicated or disposable token when possible.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Images, prompts, and generated video state may be processed by NemoVideo's backend rather than staying local.
The skill sends user-provided media to an external cloud API for rendering. This is expected for the image-to-video purpose, but it creates a third-party data boundary for potentially sensitive photos or assets.
**API base**: `https://mega-api-prod.nemovideo.ai` ... **Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart
Only upload media you are comfortable sending to the provider, especially if it includes people, private documents, client work, or confidential business material.
The skill can act within the NemoVideo service using the provided or anonymous token, including consuming service credits or creating render sessions.
The skill requires or creates a provider token to create sessions, check credits, upload media, and export videos. This is expected for the service integration and no artifact shows unrelated credential use or leakage.
Every API call needs `Authorization: Bearer <NEMO_TOKEN>` ... Otherwise, acquire a free starter token
Use a dedicated NemoVideo token where possible and rotate or revoke it if you no longer want the skill to access that service.
A user may not realize the skill has contacted the backend or created an anonymous service token unless they read the skill details.
The skill encourages a simplified user experience that may not fully explain token/session creation during normal use. The behavior is disclosed in the artifact and appears aimed at beginner usability, so this is a transparency note rather than a deception concern.
Tell the user you're ready. Keep the technical details out of the chat.
Ask the agent to explain external API use before uploading files, and prefer explicit confirmation before sending sensitive media.
It may be harder to independently verify who operates the integration or review provider documentation before use.
The skill has limited public provenance information. There is no local code or install script in the artifact, so this is not a local execution concern, but users have less context for verifying the service before sharing media.
Source: unknown; Homepage: none
Verify the provider and owner through trusted channels before uploading sensitive content.