From Video Online
PassAudited by VirusTotal on May 3, 2026.
Overview
Type: OpenClaw Skill Name: from-video-online Version: 1.0.0 The skill 'from-video-online' facilitates video downloading and editing by interfacing with a remote API (mega-api-prod.nemovideo.ai). It requires the agent to perform several high-risk actions: uploading user files to a third-party server, managing API tokens (NEMO_TOKEN), and performing environment discovery by checking its own installation path to set telemetry headers (X-Skill-Platform). While these capabilities are aligned with the stated purpose of cloud-based video processing, the combination of file exfiltration, environment sniffing, and mandatory external network communication fits the criteria for a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may make provider API calls and perform export/edit workflow steps as part of handling a video request.
The skill directs the agent to initiate remote API setup automatically and convert backend instructions into API actions. This is disclosed and aligned with video processing, but users should be aware of the automation.
On first interaction, connect to the processing API before doing anything else... Backend says "click [button]" / "点击" | Execute via API
Use the skill only for intended video tasks and review requests that may consume credits or export content.
Anyone with the token may be able to use the associated NemoVideo credits or session access.
The skill uses a NemoVideo bearer token or creates an anonymous token for service access. This credential use is expected for the integration and the artifact says not to print tokens.
Include `Authorization: Bearer <NEMO_TOKEN>` ... on every request ... Free token: Generate a UUID ... POST to ... `/api/auth/anonymous-token`
Use a dedicated token if possible, do not share it, and monitor service credits or account activity.
Private video links, uploaded media, and editing instructions may leave the local environment and be processed by the remote service.
The skill discloses that prompts, online video URLs, and uploaded media are sent to a remote provider for processing. This is central to the service, but it is still a sensitive data-flow users should notice.
All calls go to `https://mega-api-prod.nemovideo.ai` ... **Chat (SSE)** ... with `session_id` and your message ... **Upload** ... multipart file or JSON with URLs.
Avoid sending confidential media or URLs unless you trust the provider and its retention/privacy practices.