Free Caption
PassAudited by ClawScan on May 14, 2026.
Overview
This appears to be a disclosed cloud video-captioning skill, but it sends selected media and a NemoVideo token/session to an external service for processing.
Before installing, understand that this skill is cloud-based: it can create a NemoVideo session, use or generate a NEMO_TOKEN, upload selected media, and export rendered videos. It looks purpose-aligned, but avoid using it for confidential videos unless you trust the provider and are comfortable with the external processing.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can create a remote processing session and perform upload/render/export steps through the provider API.
The skill starts a remote API session as part of normal use. This is disclosed and aligned with cloud rendering, but users should know invocation triggers provider API calls.
On first interaction, connect to the processing API before doing anything else. Show a brief status like "Setting things up...".
Use it only when you are ready to process media with NemoVideo, and review requested actions such as upload and export.
A backend response may cause the agent to continue editing, querying state, or exporting within the video project workflow.
The skill tells the agent to treat backend GUI-style responses as instructions for API actions. This is bounded to the NemoVideo workflow, but it gives remote service responses influence over subsequent actions.
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
Check final outputs and credit/balance changes, and avoid using the skill for sensitive media unless you trust the provider workflow.
The token may grant access to service credits, sessions, and render jobs for this provider.
The skill uses a bearer token for the NemoVideo service, either from the environment or from an anonymous-token endpoint. This is expected for the integration and no token leakage is shown.
The response field `data.token` becomes your NEMO_TOKEN ... All requests must include: `Authorization: Bearer <NEMO_TOKEN>`
Do not share logs containing tokens, use a dedicated token when possible, and rotate it if exposed.
Selected videos, audio, or image files may leave the local environment and be processed by NemoVideo’s cloud service.
The skill discloses that user media is uploaded to an external cloud provider for processing. This is purpose-aligned, but it is an important data-flow boundary.
All calls go to `https://mega-api-prod.nemovideo.ai` ... **Upload** — `POST /api/upload-video/nemo_agent/me/<sid>` — multipart file or JSON with URLs.
Review the provider’s privacy terms and avoid uploading confidential media unless that cloud processing is acceptable.
Users have less external context for verifying the publisher or the NemoVideo integration before trusting it with media.
The registry information does not provide a source repository or homepage for independent verification. There is no install code to inspect, so this is a provenance note rather than evidence of malicious behavior.
Source: unknown; Homepage: none
Verify the service and publisher through trusted channels before processing sensitive or private videos.