Face Swap Video Ai
PassAudited by ClawScan on May 6, 2026.
Overview
This skill is coherent for cloud-based face-swap video creation, but users should know their media and prompts are sent to a NemoVideo backend under a token-backed session.
Before installing, understand that this is a cloud service wrapper: it can obtain or use a NEMO_TOKEN, send your uploaded videos/photos and prompts to mega-api-prod.nemovideo.ai, and perform edit/export API actions in that session. Use only media you have rights to process and are comfortable sharing with the provider, protect the token, and verify the provider's privacy and retention practices.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Uploaded clips, reference images, and related prompts may leave the local environment and be processed by NemoVideo's cloud service.
The skill clearly sends user-provided media to an external cloud provider for processing, which is central to the stated face-swap purpose but involves sensitive video/photo data.
This skill connects to a cloud processing backend... **API base**: `https://mega-api-prod.nemovideo.ai` ... **Upload**: POST `/api/upload-video/nemo_agent/me/<sid>`
Only upload media you are comfortable sharing with the provider, and review the provider's privacy, retention, and rights policies before using sensitive or identifiable faces.
Anyone with the token may be able to access or act within the associated NemoVideo session or credits until the token expires or is revoked.
The skill uses a bearer token to create sessions, check credits, upload media, and render/export videos. This is expected for the integration, but the token grants access to the user's service session.
Look for `NEMO_TOKEN` in the environment... Extract `data.token` from the response — this is your NEMO_TOKEN... All requests must include: `Authorization: Bearer <NEMO_TOKEN>`
Treat NEMO_TOKEN as a secret, avoid pasting it into chats or logs, and prefer a dedicated or anonymous token for this skill.
A backend response or interpretation error could cause the agent to perform an in-service edit, state query, or export step that the user did not explicitly restate.
The skill instructs the agent to translate backend UI-style messages into follow-up API actions. This is purpose-aligned, but it means remote backend responses can drive actions inside the editing session.
Backend Response Translation... `click [button]` / `点击` | Execute via API ... `Export button` / `导出` | Execute export workflow
Keep actions confined to the current user-requested video session, and require user confirmation before uploads, exports, credit-consuming operations, or any action outside the stated request.
Users have less artifact-backed information to verify who operates the cloud backend before sending media to it.
The registry provides limited provenance information for a skill that connects to an external media-processing service. There is no local code install risk shown, but provider verification is limited from the supplied artifacts.
Source: unknown; Homepage: none
Verify the service identity and terms independently before uploading private, biometric, or commercially sensitive media.