Online Add Music To Video
AdvisoryAudited by Static analysis on May 4, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
During a session, the skill may edit the remote project, start exports, poll render jobs, and potentially use credits without showing every raw API step.
The agent is instructed to turn backend GUI-style responses into API calls, including export actions. This fits the video-editing purpose, but it means remote service responses can drive state-changing workflow steps.
"Backend says | You do" ... "click [button]" / "点击" | "Execute via API" ... "Export button" / "导出" | "Execute export workflow"
Use it only for the intended video project, and ask the agent to confirm before exporting or spending credits if that matters to you.
The token authorizes uploads, session operations, credit checks, and exports with the NemoVideo backend.
The skill uses a bearer token for NemoVideo API access and can create an anonymous token automatically. This is expected for the cloud service, and the artifact says not to expose tokens.
"Token check": Look for `NEMO_TOKEN` in the environment... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... Extract `data.token` ... Include `Authorization: Bearer <NEMO_TOKEN>` ... on every request
Treat NEMO_TOKEN like a credential, avoid sharing it, and revoke or rotate it if you no longer trust the service.
Videos, audio, image assets, prompts, session state, and export artifacts may be processed or stored by the remote NemoVideo service.
The skill discloses that user media and editing messages are sent to an external cloud provider for processing. This is central to the stated purpose, but it involves third-party handling of potentially private media.
"All calls go to `https://mega-api-prod.nemovideo.ai`." ... "Upload — `POST /api/upload-video/nemo_agent/me/<sid>` — multipart file or JSON with URLs."
Only upload media you are comfortable sending to that cloud service, and review the provider’s privacy and retention terms if the content is sensitive.
You have less information for verifying who operates the skill or its cloud backend before sending media to it.
The registry metadata does not provide a source repository or homepage for independent verification. Because this is instruction-only and has no install code, this is a provenance note rather than evidence of unsafe behavior.
Source: unknown; Homepage: none
Verify the service domain and provider outside the skill if you plan to upload private, business, or client content.