NovaVideo
PassAudited by ClawScan on May 1, 2026.
Overview
NovaVideo is a coherent API-integration skill for generating images and videos, but users should notice that it uses a Nova API key, sends prompts to an external service, and suggests a mutable remote install URL.
Before installing, confirm you trust the Nova Video service, use a limited or revocable API key, avoid sending sensitive prompts or images, and prefer the reviewed registry artifact over fetching mutable remote instructions directly.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent will use a Nova account credential to create images/videos and check task status, so usage may be tied to the user's account and quota.
The skill requires a Nova Video API key for authenticated API calls, but this credential requirement is not reflected in the registry metadata.
export NOVA_API_KEY="nv_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Use a dedicated Nova API key if possible, understand any account limits or costs, and revoke the key if you stop using the skill.
If installing through that remote URL instead of the reviewed registry artifact, the agent could receive different instructions if the hosted file changes.
The documented install flow asks an agent to fetch and follow a remote SKILL.md URL, which is not pinned to a version or checksum.
Read https://nova-video.onesolo.app/SKILL.md and follow the instructions
Prefer installing the reviewed registry version, or verify the remote SKILL.md content before asking an agent to follow it.
User prompts and generation requests are transmitted to an external service, and repeated polling may keep the task active for several minutes.
The skill instructs the agent to run curl commands that send user prompts to the Nova Video API; this is central to the stated image/video generation purpose.
curl -s -X POST "$NOVA_BASE_URL/api/openapi/image"
Do not submit sensitive private text or images unless you are comfortable sending them to the Nova Video service.
A local file may contain a long signed URL that grants access to the generated video while the URL remains valid.
The skill directs the agent to persist a signed video URL locally so it is not truncated in chat output.
Always **write the full URL to a file** — never `echo` it directly or embed it in a markdown link
Store generated URL files in an appropriate location and delete them if the content should not remain accessible.