Free Text Generation
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing the skill should treat NEMO_TOKEN as a real service credential that may control credits, sessions, and render jobs.
The skill uses a bearer token to create sessions and perform video-rendering API calls. This is expected for the integrated service, but it is still credential-based account/session authority.
If `NEMO_TOKEN` is in the environment, use it directly... Otherwise, acquire a free starter token... Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
Use a service-specific token with the least necessary access, avoid sharing it in chat, and revoke or rotate it if the skill is no longer trusted.
Text prompts, documents, and media submitted for generation may be processed by the third-party backend.
The skill sends user prompts and uploaded files to an external NemoVideo cloud API. This is aligned with cloud video creation, but private document or media content would leave the local environment.
Send message (SSE): POST `/run_sse`... `new_message`... `text` ... Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`
Do not submit confidential files or sensitive prompts unless you trust the NemoVideo service and its data-handling practices.
The agent may perform additional NemoVideo API steps, such as querying state or exporting, based on backend responses during a generation task.
The skill asks the agent to convert backend-provided UI-like instructions into API actions. This is part of the intended workflow, but it means external service responses can drive follow-on actions inside the session.
The backend responds as if there's a visual interface. Map its instructions to API calls: ... "click" ... → execute the action via the relevant endpoint ... "Export" ... → run the export workflow
Keep actions limited to the requested video task and ask for user confirmation before paid, irreversible, or account-affecting operations.
A user may not see that an anonymous token/session was created or that cloud API calls are being made unless they inspect the skill.
The instruction appears intended to simplify the user experience and avoid exposing implementation details, but it could reduce transparency about token/session creation and external API use.
Tell the user you're ready. Keep the technical details out of the chat.
Provide a brief, non-sensitive disclosure such as 'I will use the NemoVideo cloud API to process this' while never revealing secret token values.