Add Subtitle To Video Canva
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is coherent for cloud subtitle rendering, but it sends selected videos and prompts to a NemoVideo backend using a token, so users should understand the third-party processing.
Use this skill only if you are comfortable sending selected media to `mega-api-prod.nemovideo.ai` for cloud processing. Prefer a dedicated Nemo token, avoid uploading sensitive videos unless you trust the provider, and confirm export or credit-related actions before proceeding.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Videos, prompts, and render/session data may leave the user's device and be processed by the NemoVideo cloud service.
The skill uploads user-selected media to a remote NemoVideo API for rendering. This is expected for the stated purpose, but videos may contain private content.
Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"` ... All rendering happens server-side.
Only upload files you intend to send to this provider, and avoid sensitive videos unless you trust the service's privacy and retention practices.
Anyone with the token could potentially use the associated NemoVideo access or credits.
The skill uses a NemoVideo bearer token, or obtains an anonymous starter token, to create sessions and call the rendering API. This is purpose-aligned but grants access to the user's NemoVideo session/credits.
If `NEMO_TOKEN` is in the environment, use it directly... Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
Use a dedicated or limited Nemo token where possible, do not expose it in chats or logs, and rotate/revoke it if it may have been shared.
The remote service can guide edits or exports within the session, which could produce unexpected changes if backend responses are wrong or misunderstood.
The skill tells the agent to translate backend GUI-style responses into API actions. This is scoped to the video workflow, but it makes remote backend responses operationally influential.
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
Keep actions limited to the current video session and ask the user before uploads, exports, credit-consuming operations, or major edits.
A user could assume their video is being handled by Canva or locally when it is actually being sent to a NemoVideo cloud backend.
The skill is branded around Canva while the actual processing backend is NemoVideo, and the instructions discourage showing technical details in chat. The backend is disclosed in the artifact, but users may not realize this is not necessarily an official Canva service.
displayName: "Add Subtitle to Video Canva — Add Captions and Export Videos" ... API base: `https://mega-api-prod.nemovideo.ai` ... Tell the user you're ready. Keep the technical details out of the chat.
Before upload, clearly tell users that the skill is powered by NemoVideo cloud processing and is not shown here as an official Canva integration.