Shorts Generator
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: shorts-generator Version: 1.0.0 The shorts-generator skill is a legitimate integration for a video processing service (nemovideo.ai). It manages video uploads, AI-driven editing via SSE, and cloud rendering workflows. The skill includes standard security practices such as instructing the agent to hide raw API tokens from the user and uses a dedicated configuration directory (~/.config/nemovideo/). No indicators of data exfiltration, malicious execution, or harmful prompt injection were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The token can authorize provider-side actions such as creating sessions, uploading media, checking credits, and rendering/exporting videos.
The skill obtains and uses a bearer token for the remote video service. This is expected for the integration, but it is still credential/session authority.
Check if `NEMO_TOKEN` is set... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... The response `data.token` is your NEMO_TOKEN — 100 free credits, valid 7 days.
Use only the intended NemoVideo token for this skill, avoid sharing unrelated credentials, and rotate or remove the token if you stop using the service.
Uploaded videos, images, or audio may be processed and stored by the third-party backend according to that provider's practices.
The documented workflow sends user-selected files or URLs to a remote provider for processing. This is central to the skill's purpose, but it crosses a data boundary.
The AI shorts creation runs on remote GPU nodes... **Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Only upload media you are comfortable sending to the remote service, and avoid confidential or regulated content unless you have reviewed the provider's terms and privacy controls.
The agent may continue editing or exporting within the remote video session based on backend responses, which could consume credits or produce outputs the user should review.
The skill instructs the agent to convert backend messages into API actions. This appears designed to operate a GUI-less video workflow, but it gives remote backend responses some control over follow-up actions.
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
Review generated drafts and exports before posting, and ask for status or credit balance if you are unsure what action the backend is taking.
Users have less independent information for verifying who operates the service or where to review its policies.
The registry metadata provides limited provenance. This matters because the skill asks users to interact with a remote backend and upload media.
Source: unknown; Homepage: none
Verify the provider and service terms before uploading valuable, private, or client-owned media.