Shorts Video Generator
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: shorts-video-generator Version: 1.0.0 The skill is a legitimate integration for the NemoVideo AI service, designed to automate video clipping and editing via a cloud-based API (mega-api-prod.nemovideo.ai). It handles session management, file uploads, and status polling as described in its documentation. There is no evidence of malicious intent, data exfiltration of sensitive system files, or harmful prompt injection; notably, SKILL.md includes security-positive instructions to prevent the AI agent from exposing API tokens or raw backend data to the user.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may continue video editing, state polling, or export steps through the provider API based on the workflow rather than showing every internal call.
The agent is instructed to translate GUI-like backend responses into API calls. This is aligned with the video-editing workflow, but users should know some cloud actions may be automated once the workflow is started.
“click” or “点击” → execute the action via the relevant endpoint ... “Export” or “导出” → run the export workflow
For sensitive or credit-consuming work, ask the agent to confirm before upload and export steps.
The token may authorize API use and consume service credits for video processing.
The skill uses a bearer token for the NemoVideo service and can automatically acquire an anonymous token if none is present. This is expected for the cloud backend, and the skill also says not to expose tokens.
All requests must include: `Authorization: Bearer <NEMO_TOKEN>`
Keep NEMO_TOKEN private, monitor credit usage, and revoke or rotate the token if it is shared accidentally.
It may be harder to independently verify who operates the cloud service before uploading media.
The skill has limited publisher or service provenance in the supplied metadata. There is no executable install code, so this is a provenance note rather than a behavioral concern.
Source: unknown; Homepage: none
Verify the service domain and publisher trust level before using the skill with private or commercially sensitive videos.
Uploaded videos and editing instructions may be processed by the external backend.
User videos, prompts, and workflow state are sent to an external cloud provider for processing. This is clearly part of the stated purpose, but retention and privacy boundaries are not described in the artifact.
All calls go to `https://mega-api-prod.nemovideo.ai` ... Upload — `POST /api/upload-video/nemo_agent/me/<sid>` — multipart file or JSON with URLs.
Only upload media you are comfortable sending to the provider, and avoid private or regulated content unless you have verified the provider’s privacy terms.