Photo To Video With Music
ReviewAudited by ClawScan on May 6, 2026.
Overview
The skill is coherent for cloud-based photo-to-video rendering, but it sends uploaded media to an external API and uses a NEMO token/session, so users should review privacy and provenance before uploading sensitive files.
This appears safe to use for its stated purpose if you are comfortable sending your images, audio, and prompts to the NemoVideo cloud service. Use a dedicated token, avoid uploading confidential media unless you trust the provider, and confirm before starting uploads or renders if you want more control.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private photos, audio, prompts, and generated video state may be handled by the external NemoVideo service.
The skill discloses that media processing happens on a remote provider, meaning uploaded photos and audio are transmitted outside the user's local environment.
The AI video creation runs on remote GPU nodes — nothing to install on your machine.
Only upload media you are comfortable sending to the provider, and review the provider's privacy/retention terms if the content is sensitive.
Anyone with the token could potentially use the associated NemoVideo session or credits until it expires or is revoked.
The skill requires a bearer token for the remote service. This is expected for the integration, and the instructions also say not to print tokens.
All requests must include: `Authorization: Bearer <NEMO_TOKEN>`
Use a dedicated token when possible, avoid sharing logs that contain credentials, and rotate or remove the token if you no longer use the skill.
The agent may create a remote session before performing the requested video task.
The skill directs the agent to initiate network API setup automatically. This is disclosed and aligned with the cloud-rendering workflow, but users should know it may contact the service immediately.
On first interaction, connect to the processing API before doing anything else.
If you want tighter control, ask the agent to confirm before uploading files or starting renders.
Users have less public information to evaluate who operates the skill and the connected API.
The registry metadata does not identify a source repository or homepage, which limits independent verification of the publisher or service provenance.
Source: unknown; Homepage: none
Verify the publisher and service before uploading personal or confidential media.
A render operation may continue server-side even if the local interaction ends unexpectedly.
The artifact states render jobs are tied to remote session/job IDs and may continue or become orphaned if the user leaves before completion.
closing the tab before completion orphans the job
Let renders finish when possible, and avoid starting jobs with sensitive media unless you trust the service.