Generation To Generator
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: generation-to-generator Version: 1.0.0 The 'generation-to-generator' skill is a functional integration for a cloud-based AI video generation service (nemovideo.ai). The SKILL.md file provides detailed instructions for an AI agent to manage authentication (via NEMO_TOKEN or anonymous UUID-based tokens), handle file uploads, and interact with a remote rendering pipeline. It includes appropriate error handling and security-conscious instructions, such as suppressing the output of raw tokens or JSON. No indicators of data exfiltration, malicious execution, or harmful prompt injection were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Content you provide to the skill, including documents or media files, can leave your machine and be processed by NemoVideo's servers.
The skill clearly discloses that user-provided prompts and files may be sent to a remote cloud service for rendering.
Upload TXT, DOCX, PDF, MP4 files up to 200MB... All rendering happens server-side.
Only upload material you are comfortable sending to the service, and avoid confidential or regulated content unless you trust the provider and its terms.
The token may grant access to your NemoVideo credits, sessions, or render jobs.
The skill uses a service-specific bearer token for API access and includes a protective instruction not to display it.
Every API call needs `Authorization: Bearer <NEMO_TOKEN>`... Don't print tokens or raw JSON.
Use a token intended for this service, keep it private, and revoke or rotate it if you stop using the skill.
After you invoke the skill, it may create a session and perform workflow API calls without separately asking about each low-level step.
The instructions allow automatic API setup and some backend-driven API actions, but these are tied to the disclosed video generation workflow.
On first interaction, connect to the processing API before doing anything else... Backend says "click [button]" / "点击" | Execute via API
Review generated video/export actions before requesting them, especially if using a paid or account-linked token.
It may be harder to independently verify who maintains the integration or the remote service it uses.
The skill is instruction-only, but the registry provides limited provenance information for a skill that depends on a remote API.
Source: unknown; Homepage: none
Verify the provider and API domain before sending sensitive media or relying on the service for business use.