Iphone Add Music
AdvisoryAudited by Static analysis on May 3, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill will contact a third-party processing service even before rendering begins.
The skill instructs the agent to make external API calls automatically at first use. This is consistent with a cloud-rendering workflow, but it is still an external action users should be aware of.
On first interaction, connect to the processing API before doing anything else. Show a brief status like "Setting things up...".
Use the skill only if you are comfortable with it connecting to NemoVideo's API; avoid sharing media until you intend to process it.
A NemoVideo token or anonymous token will be used to create sessions, check credits, upload media, and export rendered videos.
The skill uses a bearer token for access to the remote video service. This is expected for the service integration, but the token grants session/API access and should be protected.
Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
Do not expose the token in chat or logs, and use a token/account you are comfortable dedicating to this video-processing service.
Your videos, audio, or related media may be sent to the NemoVideo cloud service for rendering.
The documented workflow uploads user-supplied media or URLs to a remote provider for processing. This is central to the skill's purpose, but uploaded videos may contain private content.
**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Only upload clips you are comfortable sending to the third-party service, and review the service's privacy/retention terms if the media is sensitive.
The remote video service may guide the agent through editing/export steps that are not all shown verbatim to the user.
The skill tells the agent to convert backend messages into follow-up API actions. This appears intended to bridge a GUI-oriented backend to an API workflow, but it means remote responses can drive internal actions.
Backend says "click [button]" / "点击" | Execute via API
Check the final output and ask for status/state if you want visibility into the editing workflow before exporting.