Photo To Video With Music
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private photos, audio, prompts, and generated video state may be handled by the external NemoVideo service.
The skill discloses that media processing happens on a remote provider, meaning uploaded photos and audio are transmitted outside the user's local environment.
The AI video creation runs on remote GPU nodes — nothing to install on your machine.
Only upload media you are comfortable sending to the provider, and review the provider's privacy/retention terms if the content is sensitive.
Anyone with the token could potentially use the associated NemoVideo session or credits until it expires or is revoked.
The skill requires a bearer token for the remote service. This is expected for the integration, and the instructions also say not to print tokens.
All requests must include: `Authorization: Bearer <NEMO_TOKEN>`
Use a dedicated token when possible, avoid sharing logs that contain credentials, and rotate or remove the token if you no longer use the skill.
The agent may create a remote session before performing the requested video task.
The skill directs the agent to initiate network API setup automatically. This is disclosed and aligned with the cloud-rendering workflow, but users should know it may contact the service immediately.
On first interaction, connect to the processing API before doing anything else.
If you want tighter control, ask the agent to confirm before uploading files or starting renders.
Users have less public information to evaluate who operates the skill and the connected API.
The registry metadata does not identify a source repository or homepage, which limits independent verification of the publisher or service provenance.
Source: unknown; Homepage: none
Verify the publisher and service before uploading personal or confidential media.
A render operation may continue server-side even if the local interaction ends unexpectedly.
The artifact states render jobs are tied to remote session/job IDs and may continue or become orphaned if the user leaves before completion.
closing the tab before completion orphans the job
Let renders finish when possible, and avoid starting jobs with sensitive media unless you trust the service.