Image To Video On Canva
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill appears purpose-aligned for creating videos from user-provided media, but users should notice that it sends media to NemoVideo APIs and is not clearly a Canva integration.
Before installing, understand that this skill contacts NemoVideo automatically to create a session/token and sends selected images or media to NemoVideo for cloud rendering. It does not include local executable code, and the documented behavior is broadly purpose-aligned, but verify the third-party provider and avoid uploading sensitive media unless that data flow is acceptable.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may automatically perform workflow actions like checking state or exporting when the provider response implies a GUI action.
The skill lets backend responses drive in-scope API actions such as export. This is aligned with the video-rendering workflow, but users should know the agent may act on provider responses rather than only direct user wording.
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
Use it for intended video-rendering tasks and review exports or credit-consuming actions if using a paid or personal Nemo account token.
Requests may consume credits or operate under the Nemo token available to the agent.
The skill uses a bearer token for the external rendering service. This is expected for the integration and the instructions say not to print tokens, but it is still account authority.
Include `Authorization: Bearer <NEMO_TOKEN>` ... on every request
Use a token with only the access you intend for this service, and avoid sharing logs or transcripts that might contain credentials.
Uploaded photos, media, and edit prompts may be processed by NemoVideo's cloud service.
User-provided images and prompts are sent to an external provider for server-side rendering. This is central to the feature and disclosed, but it crosses a data boundary.
Send me your images ... All rendering happens server-side. ... All calls go to `https://mega-api-prod.nemovideo.ai`.
Do not upload private, confidential, or regulated media unless you are comfortable with that third-party processing.
A user might assume this is a Canva-backed workflow when the artifacts show requests going to a NemoVideo domain.
The name references Canva, but the disclosed API provider is NemoVideo. The destination is not hidden in the instructions, but the branding could confuse users about who processes their files.
displayName: "Image to Video on Canva — Convert Photos into Shareable Videos" ... All calls go to `https://mega-api-prod.nemovideo.ai`.
Verify that NemoVideo is the provider you intend to use before uploading media.