Login Video
PassAudited by ClawScan on May 4, 2026.
Overview
The skill is coherent for cloud video editing, but it sends login-flow media to NemoVideo and uses a Nemo token, so users should avoid including real secrets.
Install only if you are comfortable sending the selected media to NemoVideo's cloud API. Use test login flows or redact secrets, avoid recording real passwords or tokens, and monitor any NemoVideo token or credit usage.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Uploaded recordings and prompts may be processed by the NemoVideo backend rather than staying on the user's device.
The skill sends user-supplied login-flow media to an external cloud provider for processing. This is expected for the stated purpose, but login recordings can contain usernames, passwords, MFA screens, or other sensitive details.
This tool takes your raw video footage and runs AI login video creation through a cloud rendering pipeline... `/api/upload-video/nemo_agent/me/<sid>`
Use sanitized or test-account footage, avoid showing real passwords or tokens, and review the provider's privacy and retention terms before uploading sensitive login flows.
Requests may consume NemoVideo credits or operate under the user's configured NemoVideo token.
The skill uses a service token to create sessions, upload media, check credits, and export videos. This is purpose-aligned, but it delegates actions and credit usage to the provider account or anonymous token.
If `NEMO_TOKEN` is in the environment, use it directly... Otherwise, acquire a free starter token... Include `Authorization: Bearer <NEMO_TOKEN>` ... on every request
Use a limited-purpose token where possible, monitor credit usage, and do not share the token outside the intended environment.
A mistaken or compromised backend response could trigger unintended NemoVideo workflow actions such as state changes or exports within the session.
Backend SSE responses can cause the agent to perform follow-up API calls internally. This appears intended for the editing workflow, but it means external backend instructions influence tool use without necessarily showing each step to the user.
Text events go straight to the user... Tool calls stay internal... The backend responds as if there's a visual interface. Map its instructions to API calls: "click" ... → execute the action via the relevant endpoint
Keep actions limited to the user's stated video task, and ask for user confirmation before exports, credit-spending operations, or unexpected uploads.