Picture Slideshow Maker
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Personal images or media selected for the slideshow may be uploaded to NemoVideo's cloud service for processing.
The core workflow sends user media to an external cloud renderer. This is disclosed and purpose-aligned, but photos and audio/video files can be personal or sensitive.
This tool takes your images and runs slideshow video creation through a cloud rendering pipeline. You upload, describe what you want, and download the result.
Only upload files you are comfortable sending to the external provider, and avoid confidential or highly sensitive media unless you trust the service and its retention/privacy terms.
Anyone with the token could potentially access the associated NemoVideo session or credits while the token is valid.
The skill uses a NemoVideo bearer token and declares a NemoVideo config path. That credential use fits the stated backend-rendering purpose, and the artifact explicitly says not to expose tokens.
requires: {"env": ["NEMO_TOKEN"], "configPaths": ["~/.config/nemovideo/"]} ... Include `Authorization: Bearer <NEMO_TOKEN>`Keep NEMO_TOKEN private, rotate or remove it if you no longer use the skill, and review any local NemoVideo config files if present.
The agent may perform upload, edit, state, or export API calls as part of the video workflow.
The skill instructs the agent to translate backend GUI-style instructions into API actions. This is coherent for the integration, but it means external service responses can drive follow-on workflow steps inside the slideshow session.
"click" or "点击" → execute the action via the relevant endpoint ... "Export" or "导出" → run the export workflow
Confirm the files and intended export before asking the skill to upload or render, especially when working with private media.
Users have less information to verify who maintains the skill or the external service it depends on.
The registry does not provide a source repository or homepage, which limits independent verification of the provider and skill provenance. There is no local executable code in the supplied artifacts.
Source: unknown; Homepage: none
Install only if you are comfortable trusting the listed NemoVideo API endpoint, and prefer skills with clear provenance for sensitive media workflows.