v1.0.0

Iphone Add Music To Video

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 10:21 PM.

Analysis

This skill appears aligned with its stated video-editing purpose, but users should know it uploads media to a NemoVideo cloud backend and uses a Nemo service token.

GuidanceInstall this only if you are comfortable using NemoVideo's cloud service to process your videos and audio. Use a dedicated or anonymous NEMO_TOKEN, verify the provider/domain, and avoid uploading sensitive media unless the service's privacy and retention terms meet your needs.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

"upload" / "上传" / user sends file | → §3.2 Upload ... "export" / "download" / "send me the video" | → §3.5 Export

The skill routes user file uploads and export requests to backend actions. This is expected for a video-editing skill, but it means user actions can trigger external uploads, rendering jobs, and credit usage.

User impactIf you upload media or request export, the skill will use the external backend to process the file rather than editing locally.

RecommendationOnly upload files you intend to process with NemoVideo, and review export/credit behavior before using it for important or private projects.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none

The registry information does not provide a source repository or homepage, which limits provenance checks for a skill that depends on a remote backend. There is no install script or local package dependency shown.

User impactYou have less independent information for verifying who maintains the skill or service.

RecommendationVerify that you trust the listed NemoVideo API domain and the publisher before uploading sensitive media.

Rogue Agents

SeverityInfoConfidenceHighStatusNote

SKILL.md

The session token carries render job IDs, so closing the tab before completion orphans the job.

A cloud render job may continue independently of the user's open tab. This is disclosed and tied to a requested export, not evidence of self-propagation or hidden local persistence.

User impactA render job you start may keep running on the backend even if you close the interface before it finishes.

RecommendationAvoid starting exports you do not want completed, and wait for completion or use any available cancellation controls if provided by the service.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Check if `NEMO_TOKEN` is set ... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... `Authorization: Bearer <token>`

The skill uses a NemoVideo token for authentication and can generate an anonymous token if one is not present. This is purpose-aligned for the cloud service and the artifacts do not show unrelated credential use or token disclosure.

User impactThe skill may use credits or permissions associated with the NemoVideo token used for the session.

RecommendationUse a dedicated or anonymous NemoVideo token when possible, and avoid sharing token values in chat or logs.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Store the returned `session_id` for all subsequent requests.

The skill keeps session context so later upload, edit, state, and export requests refer to the same project. This is expected for a multi-step editing workflow, but users should avoid mixing unrelated private projects in one session.

User impactFiles and edits in the same session may remain associated with that session's project state.

RecommendationStart a new session for unrelated videos or sensitive work, and do not reuse a session for content that should remain separate.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

`/run_sse` | POST | Send a user message ... `/api/upload-video/nemo_agent/me/<sid>` | POST | Upload a file ... I'll handle the AI music overlay on cloud GPUs

The skill sends user messages and uploaded media to an external NemoVideo backend and receives streamed responses. The endpoint is fixed and authenticated, so this is disclosed and purpose-aligned, but it is still a sensitive data flow.

User impactYour videos, audio files, and editing prompts may be processed by NemoVideo's cloud service.

RecommendationDo not upload private, confidential, or regulated media unless you are comfortable with that external processing.