Text To Automatic
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your NemoVideo token or an anonymous token to create sessions, upload content, check credits, and start exports.
The skill uses a bearer token for the NemoVideo service. This is expected for the stated cloud-rendering purpose, but it gives the agent delegated access to that service account/session.
Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
Use a token intended for this service, monitor credit usage, and avoid sharing the token outside the skill environment.
Uploaded scripts, media, prompts, and render state may leave your local environment and be processed by NemoVideo.
The skill is designed to send user-provided scripts or media to a remote provider for processing. This is purpose-aligned, but the artifact does not describe provider retention or privacy controls.
Send me your text scripts... The automatic video generation runs on remote GPU nodes... `/api/upload-video/nemo_agent/me/<sid>` | POST | Upload a file
Do not upload confidential or regulated content unless you trust the provider and have reviewed its privacy and retention terms.
You may not be shown details about token creation, backend session setup, or API calls unless you ask.
The skill favors hiding connection/session details from the user. The overall cloud workflow is disclosed elsewhere, so this is a transparency note rather than evidence of deception.
Tell the user you're ready. Keep the technical details out of the chat.
Ask the agent to confirm before uploading files or starting exports if you want more transparency.
It may be harder to verify who maintains the skill or whether it is an official NemoVideo integration.
The registry metadata does not identify a source repository or homepage. There is no code or install script shown, so this is a provenance limitation rather than an executable supply-chain concern.
Source: unknown; Homepage: none
Install only if you are comfortable trusting this registry entry and the external API endpoint it uses.