v1.0.0

Noizai Video

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 10:50 PM.

Analysis

This instruction-only skill appears purpose-aligned, but it sends uploaded videos, prompts, and service tokens to a disclosed cloud processing API.

GuidanceThis skill is reasonable for cloud video noise removal, but only use it with footage you are comfortable uploading to `mega-api-prod.nemovideo.ai`; protect your NEMO_TOKEN and monitor credits when exporting.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

SKILL.md

"The backend responds as if there's a visual interface. Map its instructions to API calls"

Backend-provided instructions are intentionally translated into further API actions, so the service response can steer the workflow within the video-editing task.

User impactIf the backend gives an unexpected instruction, the agent may perform an unintended edit, state query, or export within the Noizai workflow.

RecommendationUse this skill for the intended video workflow and review summaries before export or other credit-consuming operations.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

"Upload — POST /api/upload-video/nemo_agent/me/<sid>" and "Export — POST /api/render/proxy/lambda"

The skill can upload user media and start cloud render/export jobs, which is expected for video cleanup but is still a meaningful external action.

User impactUsing the skill may upload files to the provider and consume processing credits for render/export jobs.

RecommendationOnly provide videos you intend to process with this service, and confirm export or credit-sensitive actions when appropriate.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none

The skill has no source repository or homepage listed, so users have limited provenance information for the publisher or integration.

User impactUsers must trust the listed publisher and API endpoint without an artifact-provided project homepage or source link.

RecommendationVerify that the `mega-api-prod.nemovideo.ai` service and publisher are acceptable before sending sensitive media.

Cascading Failures

SeverityLowConfidenceMediumStatusNote

SKILL.md

"closing the tab before completion orphans the job"

The documented cloud render lifecycle can leave a remote render job orphaned if the session is interrupted.

User impactAn interrupted export may continue or become hard to recover, potentially wasting processing time or credits.

RecommendationKeep the session open until export completes and check credits/status if a render is interrupted.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

"Every API call needs `Authorization: Bearer <NEMO_TOKEN>`"

The skill uses a bearer token to authenticate to the Noizai/Nemo video service, which is expected for this cloud integration.

User impactAnyone with the token could potentially use the associated service credits or session access.

RecommendationUse a dedicated or temporary token where possible, do not paste tokens into chat, and rotate the token if it is exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

"Save `session_id` from the response" and "State — GET /api/state/nemo_agent/me/<sid>/latest — current draft and media info"

The skill keeps and reuses a remote session identifier and retrieves session state containing draft and media information.

User impactA stale or mixed-up session could cause the agent to act on the wrong draft or media state.

RecommendationUse separate sessions for separate projects and ask for a state summary before making important edits or exports.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

"All calls go to `https://mega-api-prod.nemovideo.ai`" and "Chat (SSE) — `POST /run_sse`"

The skill communicates with an external provider API for chat, upload, state, render, and export operations.

User impactUploaded video/audio, prompts, session state, and authorization tokens are sent to the external video-processing provider.

RecommendationDo not use the skill with confidential footage unless the provider's privacy, retention, and account terms meet your needs.