Sora Ai Video
PassAudited by ClawScan on May 11, 2026.
Overview
This appears to be a coherent cloud video-generation skill, but it sends prompts/files to a third-party NemoVideo API and uses a bearer token.
Install only if you are comfortable using the NemoVideo cloud service. Keep NEMO_TOKEN private, verify the source/provider, and avoid uploading sensitive media unless you trust how the service handles it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may start a remote session and run video-workflow API actions as part of normal use.
The agent is instructed to initiate provider setup and turn backend responses into further API actions. This is purpose-aligned for a cloud renderer, but it is automatic enough that users should understand it.
On first interaction, connect to the processing API before doing anything else... Backend says "click [button]" ... Execute via API ... "Export button" ... Execute export workflow
Use it for intended video-generation tasks and ask the agent to confirm before uploads, exports, or actions that might use credits.
Anyone with the token may be able to use the associated NemoVideo session/account capabilities.
The skill uses a provider bearer token for authentication. This is expected for the integration and the artifact says not to print tokens or raw JSON.
If `NEMO_TOKEN` environment variable is already set, use it... the response field `data.token` becomes your NEMO_TOKEN... Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
Keep NEMO_TOKEN private, avoid pasting it into chat, and rotate or remove it if you no longer trust the skill or provider.
Your prompts and uploaded media may leave your device and be processed by the NemoVideo service.
Prompts, edit messages, and selected media are sent to a remote provider. This is disclosed and central to the cloud video purpose, but it defines an external data boundary.
Send message (SSE): POST `/run_sse` ... `new_message`... Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`
Do not send private, regulated, or sensitive media unless you trust the provider and its handling of uploaded content.
You have less independent information for verifying who operates or maintains the integration.
There is no local code install risk in the provided artifacts, but the publisher/source provenance and homepage are not documented for a skill that relies on an external API.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the service and publisher before relying on it for important or sensitive video-generation work.