4k Pika Ai
AdvisoryAudited by Static analysis on May 4, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may upload media expecting a Pika-branded 4K service while actually using a different backend and likely receiving lower-than-4K output.
The skill is presented as a 4K Pika AI generator, but the concrete backend is NemoVideo and the documented render pipeline says up to 1080x1920, which is not 4K.
displayName: "4K Pika AI — Generate 4K AI Videos" ... "using Pika AI" ... "API base: `https://mega-api-prod.nemovideo.ai`" ... "H.264, up to 1080x1920"
The skill should clearly disclose the actual provider, model/service relationship, and output resolution limits before users upload files.
User media and prompts may leave the local environment for a provider different from what the skill name suggests.
The skill sends user images or videos to an external cloud backend. That is expected for video generation, but the data boundary is ambiguous because the user-facing name emphasizes Pika while the upload destination is NemoVideo.
**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"` ... **API base**: `https://mega-api-prod.nemovideo.ai`
Only upload media you are comfortable sending to the NemoVideo endpoint, and prefer clearer provider/privacy disclosure before installing.
The agent will use a service credential tied to credits and render sessions.
The skill requires or creates a NemoVideo token and uses it as Bearer authentication. This is purpose-aligned for a cloud rendering service, and the artifact instructs not to expose tokens.
Look for `NEMO_TOKEN` in the environment... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... Include `Authorization: Bearer <NEMO_TOKEN>`
Use a dedicated token if possible, do not paste sensitive credentials into chat, and monitor credits/account activity.
The agent may perform generation/export actions inside the cloud session based on backend responses rather than showing every intermediate instruction.
The skill tells the agent to translate backend GUI-style messages into API actions. This is scoped to the intended video workflow, but users may not see every backend-driven step.
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
Ask the agent to confirm uploads, edits, and exports if you want more control over cloud operations.