Image To Video Miricanvas
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Opening or using the skill may create a cloud session and make requests to NemoVideo even before a finished video is produced.
The skill directs automatic network setup with the backend. This is aligned with the cloud-rendering purpose, but users should know the skill initiates backend API calls before media generation.
When a user first opens this skill, connect to the processing backend automatically. Briefly let them know (e.g. "Setting up...").
Use the skill only if you are comfortable with automatic setup calls to the listed backend, and review network/API behavior if your environment restricts external services.
Anyone with the token could potentially use the associated NemoVideo session or credits until it expires or is rotated.
The skill uses a bearer token for the NemoVideo API. This is expected for the service integration, and the artifact does not show hardcoded credentials or unrelated token use.
Include `Authorization: Bearer <NEMO_TOKEN>` ... Check if `NEMO_TOKEN` is set in the environment.
Keep NEMO_TOKEN private, avoid pasting it into chats or logs, and rotate or revoke it if you suspect exposure.
Uploaded images, media URLs, and related prompts may be processed by the external cloud provider.
The skill sends user-selected files or URLs to the external NemoVideo backend. This is central to the image-to-video workflow, but it crosses a data boundary.
**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Do not upload private, confidential, or regulated images unless you are comfortable with NemoVideo processing them under its terms.
A render may keep running on the provider after the local interaction is closed, which could affect completion tracking or provider-side resource usage.
The artifact indicates that cloud render jobs may continue or become detached from the local session. This is normal for asynchronous rendering, but users should notice the persistence of server-side jobs.
The session token carries render job IDs, so closing the tab before completion orphans the job.
Wait for completion or check job status before closing the session when rendering important or sensitive media.