Video Generator Free Models
AdvisoryAudited by VirusTotal on Apr 14, 2026.
Overview
Type: OpenClaw Skill Name: video-generator-free-models Version: 1.0.0 The skill bundle provides a legitimate integration for an AI video generation service (nemovideo.ai). It contains detailed instructions for the agent to handle authentication, session management, and video processing via a specific API (mega-api-prod.nemovideo.ai). The requested environment variable (NEMO_TOKEN) and configuration path (~/.config/nemovideo/) are directly related to the skill's stated purpose, and no evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests may be associated with the user's NEMO account or starter token and could affect credits or session history.
The skill uses a bearer token to access the external video-generation backend. This is expected for the stated cloud service and there is no evidence of token logging or unrelated use.
Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
Use a dedicated or low-risk token if possible, and monitor credits or account activity for the video service.
Private prompts, videos, images, audio, or URLs supplied for generation may be transmitted to the provider.
The skill sends prompts and user-selected files or URLs to a third-party backend. This is purpose-aligned for cloud video generation, but it is an external data boundary.
API base: `https://mega-api-prod.nemovideo.ai` ... **Send message (SSE)** ... `new_message` ... **Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart
Only upload or describe content you are comfortable sending to the third-party service; avoid confidential media unless you trust the provider's handling.
The remote video service may trigger additional session queries, edits, or exports as part of the workflow.
The skill intentionally lets backend responses guide follow-up API actions. The actions appear scoped to the video workflow, but remote service output can influence what the agent does next.
The backend responds as if there's a visual interface. Map its instructions to API calls: ... "click" ... execute the action ... "Export" ... run the export workflow
Keep actions limited to the documented video endpoints and ask for user confirmation before uploads, exports, or actions that could consume credits.
A user may not realize that a third-party API session and token are being used unless they inspect the skill details.
The instruction favors a simplified user experience and may not proactively explain the token/session setup, though the artifact itself discloses the backend details.
Tell the user you're ready. Keep the technical details out of the chat.
The agent should plainly disclose on first use that generation is handled by nemovideo.ai and that prompts or uploads are sent there.