Music Maker
PassAudited by ClawScan on May 10, 2026.
Overview
Music Maker is a coherent cloud-rendering skill, but it sends user-selected media, prompts, tokens, and project session data to the Nemo Video API.
This skill appears purpose-aligned for cloud music/video generation. Before installing, make sure you trust the Nemo Video service and the skill owner, use a dedicated token where possible, and only upload media you are comfortable sending to a third-party cloud renderer.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can make Nemo Video API requests using the configured or anonymous token.
The skill uses a provider bearer token, or obtains an anonymous provider token, to create sessions and call the Nemo Video API. This is expected for the integration, but it is delegated account/API access.
If `NEMO_TOKEN` is in the environment, use it directly and create a session. Otherwise, acquire a free starter token ... All requests must include: `Authorization: Bearer <NEMO_TOKEN>`
Use a dedicated token if possible, keep it private, and rotate or remove it when you no longer use the skill.
Uploaded media and prompts leave the local environment and are processed by the Nemo Video service.
The skill sends user-selected files, URLs, prompts, and workflow requests to an external provider API. This is disclosed and purpose-aligned, but it is still a data-sharing boundary.
**API base**: `https://mega-api-prod.nemovideo.ai` ... **Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Only upload files you are comfortable sending to that provider, especially if they contain private, copyrighted, or sensitive content.
Project state and generated media may remain associated with the remote session or token.
The provider maintains session, draft, media, and render-job state for the workflow. This is normal for cloud rendering, but it means project context may persist remotely during or after a task.
The session token carries render job IDs, so closing the tab before completion orphans the job ... **Session state**: GET `/api/state/nemo_agent/me/<sid>/latest` — key fields: `data.state.draft`, `data.state.video_infos`, `data.state.generated_media`
Check the provider’s retention/deletion controls if you process sensitive projects, and avoid sharing session tokens or download URLs.
The service backend may sequence edits, state checks, and exports inside the current project workflow.
The skill instructs the agent to translate backend GUI-style responses into follow-up API actions. This appears purpose-aligned, but it means the remote backend can drive parts of the workflow without exposing every internal tool step to the user.
Tool calls stay internal ... Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
Review status/output before relying on generated results, and stop the workflow if actions do not match your request.