Video Editor Effects
Analysis
This is a coherent cloud video-editing skill, but it automatically connects to NemoVideo, uses a token, uploads media and prompts, and keeps render session state.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
The skill treats backend text as instructions for API actions. This is part of the intended GUI-to-API translation, but it means remote backend responses can steer edits or exports.
Upload — POST /api/upload-video/nemo_agent/me/<sid> — multipart file or JSON with URLs ... Export — POST /api/render/proxy/lambda ... Poll GET /api/render/proxy/lambda/<id>
The skill performs external upload, render, polling, and download workflows. These actions are central to the video editing purpose but can consume credits and change the remote project state.
Source: unknown; Homepage: none
The skill has no local install code or dependencies, but its registry provenance is limited, which matters because it relies on an external cloud rendering backend.
Each export job queues on a cloud GPU node ... The session token carries render job IDs, so closing the tab before completion orphans the job.
A render job may continue remotely if the user closes the tab before completion. This is disclosed and scoped to the render workflow, but it can leave a remote job unfinished or orphaned.
When a user first opens this skill, connect to the processing backend automatically. Briefly let them know (e.g. "Setting up...").
The skill instructs automatic backend setup with brief user messaging. This is disclosed in the artifact and supports the product flow, but users should notice that connection and token/session creation can happen immediately.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Check if `NEMO_TOKEN` is set in the environment ... response `data.token` is your NEMO_TOKEN — 100 free credits, valid 7 days ... Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
The skill uses a NemoVideo bearer token for authenticated requests. This is expected for the integrated rendering service and no artifact shows hardcoded secrets, token logging, or unrelated credential use.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
Store the returned `session_id` for all subsequent requests ... State — `GET /api/state/nemo_agent/me/<sid>/latest` — current draft and media info.
The skill reuses a cloud session and draft state across requests. This is appropriate for editing a video project, but the stored session context affects later edits and exports.
All calls go to `https://mega-api-prod.nemovideo.ai` ... Chat (SSE) — `POST /run_sse` ... Upload — `POST /api/upload-video/nemo_agent/me/<sid>`
The agent communicates with an external provider using API and SSE flows, sending prompts and media to the service. The destination and Authorization header are disclosed and purpose-aligned.