Video Editor Api
PassAudited by ClawScan on Apr 30, 2026.
Overview
This is a straightforward cloud video-editing skill, but it sends videos and prompts to a remote Nemo Video API using a token and keeps remote session/render state.
Before installing, decide whether you are comfortable sending your videos and editing prompts to the Nemo Video cloud API. Use a dedicated NEMO_TOKEN where possible, avoid uploading sensitive media unless you trust the provider, and ask for confirmation before important exports if you want more control.
Findings (9)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The remote service may guide the agent's next editing/export actions within the video project.
The remote backend's responses are treated as operational instructions for the agent. This is purpose-aligned for a video-editing API, but it means backend text can steer the workflow.
"The backend responds as if there's a visual interface. Map its instructions to API calls" ... "click" ... "execute the action" ... "Export" ... "run the export workflow"
Use the skill only for the intended video-editing task and ask the agent to confirm important exports or changes if you want tighter control.
Your selected videos or URLs may be uploaded to the provider and used to create rendered outputs.
The skill uses API operations that upload files or URLs and create remote render jobs. These are expected for cloud video editing, but they can transmit user media and mutate remote project state.
"Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL" ... "Export ... POST `/api/render/proxy/lambda`"
Only provide clips and URLs you intend to send to the remote service, and review major edit/export requests before proceeding.
The skill can authenticate to the Nemo Video service as whoever owns the provided or generated token.
The skill uses a bearer token and declares a Nemo config path. This is coherent with an authenticated cloud video API, but it is sensitive authority that users should be aware of.
"requires": {"env": ["NEMO_TOKEN"], "configPaths": ["~/.config/nemovideo/"]}, "primaryEnv": "NEMO_TOKEN" ... "All requests must include: `Authorization: Bearer <NEMO_TOKEN>`"Use a dedicated token if possible, avoid sharing the token in chat, and verify whether the local Nemo config path is actually needed before granting access.
Users have limited registry-provided information for verifying the service behind the skill.
There is no local package install, but the provider/source provenance is not established in the registry metadata while the skill depends on an external cloud API.
Source: unknown; Homepage: none
Verify the Nemo Video service and token destination before uploading sensitive or proprietary videos.
Project drafts, video information, and generated media references may persist in the remote session.
The remote service stores and returns project state, video metadata, and generated media references. This is expected for editing workflows, but it is persistent task context.
"Session state: GET `/api/state/nemo_agent/me/<sid>/latest` — key fields: `data.state.draft`, `data.state.video_infos`, `data.state.generated_media`"
Treat the service as cloud storage/processing for your project and avoid sending sensitive media unless that is acceptable.
Your editing instructions and related project context may be sent to and processed by the remote backend agent.
The skill communicates with a remote `nemo_agent` over SSE and keeps backend tool calls internal. This is part of the design, but it is an agent/provider communication channel carrying user requests and workflow state.
"Send message (SSE): POST `/run_sse` — body `{"app_name":"nemo_agent"...}`" ... "Tool calls stay internal."Do not include secrets or unrelated sensitive data in video-editing prompts, and use the skill only with media you are comfortable processing remotely.
If the session is interrupted, a remote render may continue or become hard to track.
A render job can continue remotely without the active client session tracking it. This is disclosed and purpose-related, but it can leave jobs detached from the user's immediate control.
"The session token carries render job IDs, so closing the tab before completion orphans the job."
Wait for render completion when possible and keep track of session/job information for important exports.
The chat may not show every backend connection, token, session, or API detail involved in processing the video.
The skill intentionally simplifies or hides connection/session details from the user. This can be acceptable UX, but users should still understand that authentication and remote API calls are happening.
"Tell the user you're ready. Keep the technical details out of the chat."
Ask the agent to disclose the workflow at a high level if you need transparency about where files and prompts are being sent.
A render task may continue remotely after you stop watching the chat or close the tab.
The artifact discloses that remote render jobs can continue without the active client tab. This is not evidence of self-propagation or hidden autonomous behavior, but it is background remote activity to notice.
"closing the tab before completion orphans the job"
Avoid starting renders you do not want completed, and wait for completion or use any provider-side cancellation controls if available.