Free Video Generation App
AdvisoryAudited by VirusTotal on Apr 13, 2026.
Overview
Type: OpenClaw Skill Name: free-video-generation-app Version: 1.0.0 The skill facilitates video generation by interacting with a remote API (mega-api-prod.nemovideo.ai). It exhibits high-risk behaviors including environment fingerprinting (checking paths like ~/.cursor/skills/ to set platform headers) and uploading local files to a third-party endpoint via multipart forms. While these capabilities are aligned with the stated purpose, the instructions in SKILL.md lack explicit path validation, creating a potential vulnerability for arbitrary file disclosure if the agent is manipulated. It also includes an automated 'anonymous token' acquisition flow and requires access to ~/.config/nemovideo/.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent will authenticate to the video service on the user's behalf, so the token should be treated like an account credential for that service.
The skill uses a bearer token for the NemoVideo service and can obtain an anonymous token from the provider.
If `NEMO_TOKEN` environment variable is already set, use it ... The response field `data.token` becomes your NEMO_TOKEN ... `Authorization: Bearer <NEMO_TOKEN>`
Use a dedicated token if possible, do not paste secrets into chat, and revoke or rotate the token if you no longer use the service.
Images, videos, audio, URLs, and prompts used with the skill may leave the local environment and be processed by NemoVideo.
The skill sends user-selected files or URLs to a third-party cloud API for video processing.
Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Only upload files you are comfortable sending to the provider, and avoid confidential or regulated content unless the provider's terms and privacy practices are acceptable.
The remote service may drive follow-on steps inside the video workflow, such as querying state or exporting, after the user starts a generation/edit task.
The skill asks the agent to treat backend responses as workflow instructions and convert them into further API actions.
The backend responds as if there's a visual interface. Map its instructions to API calls: ... "click" ... → execute the action via the relevant endpoint ... "Export" ... → run the export workflow
Review the produced draft and exported result, and ask for confirmation before uploads or exports if the content is sensitive.
Users have less independent information for validating who operates the integration and how the remote API handles data.
The registry metadata does not provide a public source or homepage for verifying the skill or the service relationship.
Source: unknown; Homepage: none
Verify the provider and domain before using the skill for important or private media.