Ai Free Text
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may use a NemoVideo token or anonymous credits to create sessions and render videos.
The skill uses or creates a service token and establishes an authenticated backend session. This is expected for the stated cloud video service, but it is credential-based access.
If `NEMO_TOKEN` is in the environment, use it directly and create a session. Otherwise, acquire a free starter token ... valid for 7 days
Use only a NemoVideo-scoped token, do not provide unrelated credentials, and monitor any credits or account activity tied to the token.
Text prompts and uploaded media may be processed by the third-party NemoVideo backend.
The skill sends prompts, session messages, URLs, and potentially uploaded files to an external provider. This is central to the text-to-video purpose, but it creates a data-sharing boundary.
API base: `https://mega-api-prod.nemovideo.ai` ... Send message (SSE): POST `/run_sse` ... Upload: POST `/api/upload-video/nemo_agent/me/<sid>`
Avoid submitting confidential or regulated content unless you trust the provider and understand its retention and privacy practices.
The agent may perform additional video-editing, state-query, or export actions based on backend responses rather than only direct user wording.
The instructions let backend-generated GUI-style responses drive follow-up API calls. The actions appear limited to the video workflow, but users should know the backend can steer automation within that session.
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export
For important or credit-consuming actions, ask the agent to confirm before exporting, uploading, or making major edits.
Users have less registry-provided context for validating who maintains the skill or the referenced backend service.
The skill has no code or install step, but its provenance is not documented in the registry metadata, making the external service integration harder to verify.
Source: unknown; Homepage: none
Review the skill text and provider identity before using it with sensitive prompts, files, or account credentials.
A render may continue or remain orphaned on the service if the session is closed before completion.
Render jobs and session state can persist on the backend after the local interaction is interrupted. This appears expected for cloud rendering, not hidden autonomous behavior.
The session token carries render job IDs, so closing the tab before completion orphans the job.
Do not start renders with sensitive content unless you are comfortable with backend processing continuing until the job completes or expires.