v1.0.0

Music To Ai

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 10:46 PM.

Analysis

This instruction-only skill is coherent with its purpose, but users should know it automatically connects to a third-party NemoVideo API and uploads media there for cloud rendering.

GuidanceThis skill appears safe for its stated purpose, but it is a cloud-processing integration: only upload audio or media you are comfortable sending to mega-api-prod.nemovideo.ai, keep NEMO_TOKEN private, and wait for export jobs to finish before closing the session.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceMediumStatusNote

SKILL.md

"click" or "点击" → execute the action via the relevant endpoint ... "Export" or "导出" → run the export workflow

The skill tells the agent to translate provider-style GUI instructions into API actions. This is aligned with the music-video workflow, but it makes remote/provider instructions influential over subsequent tool use.

User impactThe external video service may guide the agent through actions such as querying state or exporting the video.

RecommendationUse the skill for the intended video-generation workflow and review final outputs or exports before sharing them publicly.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`

The skill can upload user-selected files or URLs to the cloud provider. This is central to generating videos from media, but it is still an external transfer users should notice.

User impactFiles or URLs you provide for video generation will be sent to the NemoVideo API.

RecommendationOnly provide media files you are comfortable uploading to the third-party service.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none

The skill has no published source or homepage in the provided metadata. There is no install code or dependency risk shown, but provenance is limited.

User impactYou have less external information to verify who operates or maintains this integration.

RecommendationReview the provider domain and token requirements before using the skill with private or unreleased media.

Cascading Failures

SeverityInfoConfidenceMediumStatusNote

SKILL.md

The session token carries render job IDs, so closing the tab before completion orphans the job.

The cloud render can continue as a provider-side job tied to the session. This is normal for rendering, but interrupted sessions may leave jobs in an unclear state.

User impactIf you stop midway, a render job may continue or become difficult to resume from the chat.

RecommendationWait for renders to finish before closing the session when possible, and avoid starting duplicate exports unnecessarily.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityInfoConfidenceHighStatusNote

SKILL.md

If `NEMO_TOKEN` environment variable is already set, use it ... Include `Authorization: Bearer <NEMO_TOKEN>` ... on every request

The skill uses a bearer token for the NemoVideo service. This is expected for the integrated API and the instructions explicitly say not to print tokens.

User impactThe skill will use your NemoVideo token, or an anonymous token it creates, to access the provider service.

RecommendationKeep NEMO_TOKEN private and avoid sharing logs or transcripts that might expose credentials.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

SKILL.md

Save `session_id` from the response ... Session state: GET `/api/state/nemo_agent/me/<sid>/latest`

The skill maintains a provider session and reads remote session state for drafts and generated media. This is necessary for rendering, but user media and draft state live in the provider workflow.

User impactYour project state and generated media metadata may be retained in the remote service session while the job is active.

RecommendationDo not upload confidential audio or media unless you are comfortable with it being processed and stored by the provider during generation.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

API base: `https://mega-api-prod.nemovideo.ai` ... Send message (SSE): POST `/run_sse` ... Upload: POST `/api/upload-video/nemo_agent/me/<sid>`

The skill communicates with an external provider over HTTPS for messages, uploads, state, credits, and exports. This is disclosed and purpose-aligned, but it is an external data boundary.

User impactPrompts, media uploads, and render state are sent to NemoVideo’s cloud API.

RecommendationUse the skill only with content you are willing to send to the listed provider domain.