Image To Video Joyfun
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Opening or using the skill can contact the NemoVideo backend and run the documented cloud rendering workflow.
The skill directs the agent to make automatic remote API calls and manage upload, SSE, state, credits, and export endpoints. This is disclosed and purpose-aligned for cloud video rendering, but users should be aware of the external automation.
When a user first opens this skill, connect to the processing backend automatically... All calls go to `https://mega-api-prod.nemovideo.ai`.
Use it only if you are comfortable with a third-party video service processing the task.
The skill can spend credits or create provider sessions under the configured or anonymous token.
The skill uses a bearer token or creates an anonymous token for the provider. This is expected for the service and there is no evidence of token leakage, but it is still credential-like access.
Authentication: Check if `NEMO_TOKEN` is set... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... The response `data.token` is your NEMO_TOKEN — 100 free credits, valid 7 days.
Treat NEMO_TOKEN as a secret and revoke or rotate it if you no longer want the skill to access the service.
Images, prompts, and possibly media URLs may leave the local environment and be processed on NemoVideo servers.
The skill sends user-selected image/media files and prompts to the remote provider for processing. This is central to the feature and disclosed, but uploaded media may be private or sensitive.
Upload your still images (JPG, PNG, WEBP, GIF, up to 200MB)... All rendering happens server-side... Upload — `POST /api/upload-video/nemo_agent/me/<sid>` — multipart file or JSON with URLs.
Avoid uploading confidential, personal, or restricted images unless you trust the provider’s handling of that data.
Users have less external context for verifying who operates or documents the backend service.
The supplied artifacts do not include executable code, which reduces local supply-chain risk, but the skill listing provides limited provenance information for the remote integration.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the provider and token source before sending sensitive media, especially because no homepage is listed.