Script To Video
PassAudited by VirusTotal on May 3, 2026.
Overview
Type: OpenClaw Skill Name: script-to-video Version: 1.0.0 The skill is a legitimate integration for a script-to-video service hosted at nemovideo.ai. It defines standard API interactions for authentication, file uploads, and video rendering. The instructions in SKILL.md are consistent with the stated purpose, and there is no evidence of data exfiltration (beyond the scripts intended for processing), malicious execution, or unauthorized access to sensitive local environment variables.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Starting the skill can create a remote session and contact the NemoVideo API.
The agent is instructed to initiate remote API setup automatically when the skill is first used. This is disclosed and purpose-aligned, but users should know a network session may be created before each individual API call is separately confirmed.
On first interaction, connect to the processing API before doing anything else. Show a brief status like "Setting things up...".
Invoke the skill only when you are ready to use the cloud service, and remove or avoid the token if you do not want it to connect.
Anyone with the token could potentially use the associated NemoVideo service access or credits.
The skill uses a bearer token for the video service. This credential use is expected for the stated purpose and the artifact explicitly says not to print tokens.
Every API call needs `Authorization: Bearer <NEMO_TOKEN>` ... Confirm to the user you're connected and ready. Don't print tokens or raw JSON.
Use a dedicated or revocable token, do not paste it into public chats, and rotate it if you suspect exposure.
Scripts, documents, or media you upload may be processed by the external NemoVideo service.
The skill sends user-provided files or URLs to an external cloud API for processing, which is central to its purpose but means the provider can receive the uploaded content.
**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Avoid uploading confidential or regulated content unless you trust the provider and have reviewed its privacy and data-handling terms.
You have less external context for who maintains the skill or the cloud service integration.
The artifacts provide limited provenance for the skill, although there is also no runnable package or install script shown.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the service domain and publisher reputation before using the skill with sensitive material.