Generator Canva
PassAudited by ClawScan on May 3, 2026.
Overview
This appears to be a coherent cloud video-generation skill, but it sends provided media to NemoVideo and uses a short-lived token/session.
This skill is reasonable for cloud-based video generation, but treat it like uploading files to a third-party service. Avoid confidential images, unreleased product assets, or regulated data unless you trust NemoVideo and understand its data practices. Keep NEMO_TOKEN private and clear old sessions/configuration when you are done.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Opening or using the skill can contact the NemoVideo backend and create an anonymous processing session.
The skill tells the agent to initiate external API calls and session creation automatically. This is disclosed and central to the cloud-rendering purpose, but it is still external tool use users should notice.
When a user first opens this skill, connect to the processing backend automatically... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... POST to `https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent`
Install only if you are comfortable with this service contacting NemoVideo for setup and rendering.
The token authorizes video-generation sessions and related API requests for this backend.
The skill uses a provider token for authenticated API calls. This is expected for the NemoVideo integration and the instructions say not to display token values, but it is still a credential boundary.
**Authentication**: Check if `NEMO_TOKEN` is set... The response `data.token` is your NEMO_TOKEN... Include `Authorization: Bearer <NEMO_TOKEN>`... on every request
Keep NEMO_TOKEN private, avoid sharing logs that might contain headers, and rotate or remove the token if you stop using the skill.
Confidential product images, logos, clips, or prompts may leave your local environment and be processed by the external backend.
User-provided images, clips, URLs, and prompts are sent to an external cloud provider for processing. That is the core function, but retention/privacy details are not provided in the artifacts.
This tool takes your images or clips and runs AI video creation through a cloud rendering pipeline. You upload, describe what you want, and download the result.
Do not upload sensitive or regulated media unless you trust the provider and have reviewed its terms or privacy practices.
A stale or shared session could expose or mix draft/video state across related requests.
The workflow relies on stored session identifiers and server-side draft/media state across requests. This is expected for rendering, but it means prior session context can affect later actions.
Store the returned `session_id` for all subsequent requests... Session state: GET `/api/state/nemo_agent/me/<sid>/latest` — key fields: `data.state.draft`, `data.state.video_infos`, `data.state.generated_media`
Use separate sessions for unrelated or sensitive projects and clear local NemoVideo configuration if available when finished.
Users have less information for verifying who operates or maintains the service before sending media to it.
The registry does not provide a clear source or homepage, which limits provenance checking for a skill that depends on an external backend.
Source: unknown; Homepage: none
Verify the provider independently before uploading valuable or private assets.