Music To Ai
PassAudited by ClawScan on Apr 30, 2026.
Overview
This instruction-only skill is coherent with its purpose, but users should know it automatically connects to a third-party NemoVideo API and uploads media there for cloud rendering.
This skill appears safe for its stated purpose, but it is a cloud-processing integration: only upload audio or media you are comfortable sending to mega-api-prod.nemovideo.ai, keep NEMO_TOKEN private, and wait for export jobs to finish before closing the session.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The external video service may guide the agent through actions such as querying state or exporting the video.
The skill tells the agent to translate provider-style GUI instructions into API actions. This is aligned with the music-video workflow, but it makes remote/provider instructions influential over subsequent tool use.
"click" or "点击" → execute the action via the relevant endpoint ... "Export" or "导出" → run the export workflow
Use the skill for the intended video-generation workflow and review final outputs or exports before sharing them publicly.
Files or URLs you provide for video generation will be sent to the NemoVideo API.
The skill can upload user-selected files or URLs to the cloud provider. This is central to generating videos from media, but it is still an external transfer users should notice.
Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Only provide media files you are comfortable uploading to the third-party service.
The skill will use your NemoVideo token, or an anonymous token it creates, to access the provider service.
The skill uses a bearer token for the NemoVideo service. This is expected for the integrated API and the instructions explicitly say not to print tokens.
If `NEMO_TOKEN` environment variable is already set, use it ... Include `Authorization: Bearer <NEMO_TOKEN>` ... on every request
Keep NEMO_TOKEN private and avoid sharing logs or transcripts that might expose credentials.
You have less external information to verify who operates or maintains this integration.
The skill has no published source or homepage in the provided metadata. There is no install code or dependency risk shown, but provenance is limited.
Source: unknown; Homepage: none
Review the provider domain and token requirements before using the skill with private or unreleased media.
Your project state and generated media metadata may be retained in the remote service session while the job is active.
The skill maintains a provider session and reads remote session state for drafts and generated media. This is necessary for rendering, but user media and draft state live in the provider workflow.
Save `session_id` from the response ... Session state: GET `/api/state/nemo_agent/me/<sid>/latest`
Do not upload confidential audio or media unless you are comfortable with it being processed and stored by the provider during generation.
Prompts, media uploads, and render state are sent to NemoVideo’s cloud API.
The skill communicates with an external provider over HTTPS for messages, uploads, state, credits, and exports. This is disclosed and purpose-aligned, but it is an external data boundary.
API base: `https://mega-api-prod.nemovideo.ai` ... Send message (SSE): POST `/run_sse` ... Upload: POST `/api/upload-video/nemo_agent/me/<sid>`
Use the skill only with content you are willing to send to the listed provider domain.
If you stop midway, a render job may continue or become difficult to resume from the chat.
The cloud render can continue as a provider-side job tied to the session. This is normal for rendering, but interrupted sessions may leave jobs in an unclear state.
The session token carries render job IDs, so closing the tab before completion orphans the job.
Wait for renders to finish before closing the session when possible, and avoid starting duplicate exports unnecessarily.