Clock Video Production

What to consider before installing: - Provenance: The skill has no listed homepage or source and was published by an unknown owner. Confirm the service (nemovideo / mega-api-prod.nemovideo.ai) is legitimate and review its privacy and data-retention policies before uploading media. - Network activity: The skill instructs the agent to call external endpoints (auth, upload, SSE, render). If you run sensitive footage through it, assume those files are transmitted to that external service. - Auto-generated credentials: If NEMO_TOKEN is not provided, the skill will generate an anonymous token by contacting the service and use it. Consider providing a dedicated token/account rather than allowing anonymous provisioning, and verify what the token permits and how long it is valid. - Local file/config access: SKILL.md references ~/.config/nemovideo/ and derives headers from install paths (e.g., ~/.clawhub/). Ask the author whether the skill will read those paths and why; only allow access if necessary. - Lack of code to inspect: This skill is instruction-only, so there is no code to audit. If you need higher assurance, request the skill's source code, a service SLA, or a privacy statement from the publisher. - Practical steps: (1) Verify the external domain and service operator, (2) avoid uploading highly sensitive media until you confirm data handling, (3) use an isolated account/token or ephemeral token with limited scope, and (4) ask the publisher to reconcile the configPath metadata mismatch and to document where tokens/session IDs are stored.