Editor Effects
Analysis
This instruction-only video editing skill is coherent with its purpose, but it sends prompts and media to a disclosed NemoVideo cloud API using a token.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
Backend Response Translation ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
The remote backend's GUI-style responses are treated as instructions for API actions. This is aligned with the editing workflow, but it means backend responses can influence what the agent does inside the service.
Upload — POST /api/upload-video/nemo_agent/me/<sid> ... Export — POST /api/render/proxy/lambda ... Poll GET /api/render/proxy/lambda/<id> every 30s
The skill uses API operations to upload media, render, poll, and export. These are central to the stated video-editing purpose and are disclosed.
Source: unknown; Homepage: none
The package provides no public source or homepage provenance. There is no install script or code in the artifacts, but the provider identity should still be considered before using the remote API.
Tell the user you're ready. Keep the technical details out of the chat.
The skill encourages a simplified user experience. This is not inherently deceptive because the cloud API details are documented, but users should still be told material facts such as cloud upload and token use when relevant.
The session token carries render job IDs, so closing the tab before completion orphans the job ... Poll `GET /api/render/proxy/lambda/<id>` every 30s
Cloud render jobs and polling can continue as part of the requested export workflow. This is disclosed and purpose-aligned, but it is persistent remote activity.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Every API call needs Authorization: Bearer <NEMO_TOKEN> ... If `NEMO_TOKEN` is in the environment, use it directly ... Otherwise, acquire a free starter token
The skill requires a bearer token or obtains an anonymous starter token for the NemoVideo API. This is expected for the integrated cloud service, and the artifacts do not show unrelated credential use.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
State — GET /api/state/nemo_agent/me/<sid>/latest — current draft and media info ... poll `/api/state` to confirm the timeline changed
The skill relies on remote session state containing draft and media information. This is expected for cloud editing, but it is persistent context the agent trusts when reporting updates.
All calls go to `https://mega-api-prod.nemovideo.ai` ... Chat (SSE) — `POST /run_sse` ... Upload — `POST /api/upload-video/nemo_agent/me/<sid>`
The skill sends user messages and uploaded media to an external provider over documented API endpoints. This is purpose-aligned and disclosed, but it is a sensitive data boundary.