Maker Free Long
PassAudited by ClawScan on May 3, 2026.
Overview
This skill is a coherent cloud video-rendering integration, but users should know it sends video files and prompts to an external NemoVideo API and uses a bearer token/session.
This appears to be a normal cloud video-making skill rather than malicious behavior. Before installing, make sure you are comfortable sending your video files and editing prompts to mega-api-prod.nemovideo.ai, and use a dedicated NEMO_TOKEN if possible.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your video files, prompts, draft state, and render requests may be processed outside your device by the NemoVideo backend.
The skill sends user media and editing requests to an external cloud service. This is expected for cloud rendering, but users should treat uploaded videos and prompts as shared with that provider.
All calls go to `https://mega-api-prod.nemovideo.ai`... **Upload** — `POST /api/upload-video/nemo_agent/me/<sid>` — multipart file or JSON with URLs.
Only upload media you are comfortable sending to this service, and avoid including confidential footage unless you trust the provider and its data handling.
The agent can make authenticated NemoVideo API calls using the token while creating or exporting videos.
The skill uses a bearer token for service access and can obtain an anonymous token automatically. This is purpose-aligned, but it is still credential/session handling.
**Authentication**: Check if `NEMO_TOKEN` is set in the environment... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... The response `data.token` is your NEMO_TOKEN
Use a dedicated token for this service, do not share token values, and rotate or remove the token if you no longer use the skill.
Some video editing or export steps may be executed automatically as part of the backend-driven workflow.
The skill allows backend text responses to trigger API actions. This is a reasonable pattern for operating a cloud editor without a GUI, but it means the agent may perform edits or exports based on backend instructions.
| Backend says | You do | ... | "click [button]" / "点击" | Execute via API | ... | "Export button" / "导出" | Execute export workflow |
Review the agent’s summaries and explicitly confirm important exports or changes if the footage, credits, or output quality matter.