Text And Video
Analysis
This instruction-only skill appears aligned with cloud text-to-video creation, but it sends user text and media to a NemoVideo backend using a token-based session.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
The backend responds as if there's a visual interface. Map its instructions to API calls: - "click" or "点击" → execute the action via the relevant endpoint
The external backend can influence the agent's next API actions by returning GUI-like instructions. This is purpose-aligned for the service, but users should know backend responses steer the workflow.
Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`The skill instructs the agent to upload local files or URLs to a remote video service. This is expected for text/video generation, but it is a sensitive tool operation.
Source: unknown; Homepage: none
The skill has no known source or homepage in the provided metadata, while it depends on an external cloud API. This is a provenance gap, not direct evidence of malicious behavior.
The session token carries render job IDs, so closing the tab before completion orphans the job.
Remote render jobs can continue or become orphaned if the client session ends before completion. This is disclosed and consistent with cloud rendering, but it affects job containment.
**Export** (free, no credits) ... 402 | Free plan export blocked | Subscription tier issue, NOT credits. "Register or upgrade your plan to unlock export."
The export language may be confusing because it says export is free/no credits while also documenting a plan-based export block. The tradeoff is disclosed, but users should notice it.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Token check: Look for `NEMO_TOKEN` in the environment. If found, skip to session creation. Otherwise: ... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`
The skill uses a NemoVideo bearer token or creates an anonymous token for service access. The credential requirement is disclosed and aligned with the cloud backend.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
Send me your text and video and describe the result you want. The text-to-video creation runs on remote GPU nodes
User prompts and media are processed remotely, and the skill also queries session state containing drafts and generated media. This is expected for the service but involves sensitive content handling.
Send message (SSE): POST `/run_sse` — body `{"app_name":"nemo_agent","user_id":"me","session_id":"<sid>","new_message":{"parts":[{"text":"<msg>"}]}}`The skill communicates with a remote `nemo_agent` over SSE using a bearer-authenticated session. This is disclosed and purpose-aligned, but it is a third-party agent/provider boundary.