Game Generator
AdvisoryAudited by Static analysis on May 3, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill contacts NemoVideo immediately and may create a remote session before any generation work starts.
The skill initiates remote API setup automatically when used. This is expected for a cloud renderer, but it is still an external action users should notice.
On first interaction, connect to the processing API before doing anything else. Show a brief status like "Setting things up...".
Use the skill only when you are ready to connect to the NemoVideo service, and confirm before uploads or exports if the content or credits matter.
A real NemoVideo token may allow the skill to use account credits or render/export capabilities.
The skill uses a bearer token for authenticated API calls and credit-related operations. This is disclosed and purpose-aligned, and it also says not to print tokens.
If `NEMO_TOKEN` environment variable is already set, use it ... Include `Authorization: Bearer <NEMO_TOKEN>` ... `/api/credits/balance/simple`
Prefer a scoped or disposable token where possible, monitor credits, and do not install if you do not trust the service with that token.
Game concepts, assets, videos, images, or audio files may leave the local environment and be processed by a third-party service.
Prompts and uploaded media are sent to the external NemoVideo API for processing. The cloud data flow is disclosed, but retention/privacy boundaries are not described in the visible artifact.
All rendering happens server-side ... `/api/upload-video/nemo_agent/me/<sid>` | POST | Upload a file (multipart) or URL.
Avoid uploading confidential or unreleased assets unless you trust NemoVideo's privacy and retention practices.
It may be harder to verify who maintains the skill or the service behind the API endpoint.
The registry metadata does not provide a source repository or homepage for independent verification. There is no installable code shown, so this is a provenance note rather than a code-supply-chain concern.
Source: unknown; Homepage: none
Verify the provider/domain independently before sending valuable assets or using a paid token.