Ai Animation Video Generator
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent cloud video-generation skill, but it uses a NemoVideo token and sends prompts or uploaded media to an external API.
This skill appears purpose-aligned for generating videos through a cloud API. Use it only with media you are comfortable sending to NemoVideo, protect the NEMO_TOKEN, and confirm before uploads or exports involving sensitive or important content.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can authenticate to NemoVideo on your behalf to create sessions, render jobs, check credits, and export videos.
The skill uses or creates a provider credential for the NemoVideo API. This is expected for the stated cloud rendering purpose, but it is still delegated account/session authority.
If `NEMO_TOKEN` environment variable is already set, use it... Free token: Generate a UUID... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... `data.token` becomes your NEMO_TOKEN
Use a dedicated token if possible, avoid sharing the token, and revoke or rotate it if you stop using the service.
Private prompts or uploaded media could leave your local environment and be processed by NemoVideo’s cloud service.
User prompts, images, files, or URLs may be sent to an external provider for processing. This is disclosed and purpose-aligned, but it is an external data boundary.
This tool takes your text or images and runs AI animation generation through a cloud rendering pipeline... Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Do not upload confidential, regulated, or sensitive media unless you trust the provider and understand its retention and privacy practices.
The external service can influence the next API step within the rendering workflow, such as querying state or starting an export.
The skill tells the agent to treat backend text responses as instructions for follow-up API actions. This is part of the intended GUI-to-API translation, but provider output becomes operational guidance.
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
Confirm before performing actions that upload new files, consume credits, publish/share content, or make irreversible changes.
You have less information to verify who maintains the skill or how the external service is governed.
The skill has limited provenance information. There is no install script or code shown, so this is not evidence of malicious behavior, but it limits independent verification of the service/operator.
Source: unknown; Homepage: none
Review the provider and token/account terms before sending sensitive content through the skill.