Maker Free Kiss
AdvisoryAudited by Static analysis on May 3, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Personal videos may be processed and temporarily stored by the external rendering provider.
The skill sends user-selected video files or media URLs to an external cloud provider for rendering. This is expected for the stated purpose, but it is a sensitive data flow.
All calls go to `https://mega-api-prod.nemovideo.ai`... **Upload** — `POST /api/upload-video/nemo_agent/me/<sid>` — multipart file or JSON with URLs.
Only upload media you are comfortable sending to the NemoVideo service, and avoid using sensitive or non-consensual content.
The token authorizes API use and may affect credits or account/session state with the provider.
The skill uses a bearer token for the external video service, or obtains an anonymous provider token if none is present. This is purpose-aligned and disclosed, with no evidence of unrelated credential use.
If `NEMO_TOKEN` is in the environment, use it directly... Otherwise, acquire a free starter token... Include `Authorization: Bearer <NEMO_TOKEN>` ... on every request.
Use a token intended for this service, avoid exposing it in logs or chat, and revoke or rotate it if you no longer trust the integration.
A user might not realize the backend connection or cloud upload details unless they ask or read the skill instructions.
The skill tells the agent not to show technical connection details. This can be reasonable UX, but users should still receive enough disclosure to know that an external API and media upload are being used.
Tell the user you're ready. Keep the technical details out of the chat.
Before uploading media, provide a brief plain-language notice that the file will be sent to the NemoVideo cloud rendering API.
It may be harder for users to verify who operates the external service or review its privacy and security posture.
There is no local code or install script to inspect, but the integration’s provenance is limited because the source and homepage are not provided.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the provider and terms before uploading private videos or using a personal API token.