Heygen Ai
ReviewAudited by ClawScan on May 10, 2026.
Overview
Review before installing: the skill is branded as HeyGen, but its prompts, files, and tokens are routed through a NemoVideo cloud backend.
This appears to be a cloud AI video-rendering skill, and the upload/token behavior is mostly aligned with that purpose. The reason to review it carefully is the provider mismatch: it calls itself HeyGen but uses NemoVideo APIs. Install only if that backend is acceptable to you, and avoid uploading sensitive scripts, images, videos, or audio until you have verified the publisher and privacy terms.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may believe they are using HeyGen while sending scripts, images, videos, and account tokens to a different cloud service.
The skill presents itself as HeyGen, but the documented backend, token, and app identifiers are NemoVideo. That mismatch could cause users to trust the wrong provider.
displayName: "HeyGen AI — Create AI Avatar Presenter Videos" ... **API base**: `https://mega-api-prod.nemovideo.ai` ... `app_name":"nemo_agent"`
Install only if you understand and accept the NemoVideo backend. Prefer a publisher-provided homepage/privacy policy and avoid uploading sensitive media until the provider identity is clear.
Your scripts, images, audio, or videos may leave your device and be processed by the NemoVideo cloud service.
The skill sends user prompts and selected local files to a remote provider API. That is purpose-aligned for cloud rendering, but the provider/data boundary is ambiguous because the service is branded as HeyGen while using NemoVideo endpoints.
**Send message (SSE)**: POST `/run_sse` ... `new_message` ... **Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`
Use only content you are comfortable uploading to that backend, and confirm the provider’s data handling, retention, and privacy terms before sharing private or regulated material.
The token can authorize sessions, uploads, credit checks, and rendering requests for this backend.
The skill uses a bearer token, or creates an anonymous one, to authenticate cloud video operations. This is expected for the integration, but it is still account/session authority.
Look for `NEMO_TOKEN` in the environment... Otherwise: ... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... Include `Authorization: Bearer <NEMO_TOKEN>` ... on every request
Use a dedicated or low-privilege token where possible, do not paste tokens into chats or logs, and revoke/rotate the token if you stop using the skill.
The agent may perform video edits or exports based on backend instructions, not just direct user wording.
The skill maps backend GUI-style instructions into API actions. This is part of the intended workflow, but it means remote responses can cause edits or exports within the current session.
"click" or "点击" → execute the action via the relevant endpoint ... "Export" or "导出" → run the export workflow
Ask the agent to confirm before exports or credit-consuming actions if you want tighter control.