4k Pika Ai
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: 4k-pika-ai Version: 1.0.0 The skill is a functional integration for the 'nemovideo.ai' service, allowing users to generate AI videos. It provides detailed instructions for the agent to manage authentication tokens, handle file uploads, and interact with a cloud rendering pipeline via SSE. All network requests are directed to the legitimate service domain (mega-api-prod.nemovideo.ai), and the requested permissions (NEMO_TOKEN and ~/.config/nemovideo/) are strictly relevant to the skill's stated purpose without any signs of data exfiltration or malicious execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may upload media expecting a Pika-branded 4K service while actually using a different backend and likely receiving lower-than-4K output.
The skill is presented as a 4K Pika AI generator, but the concrete backend is NemoVideo and the documented render pipeline says up to 1080x1920, which is not 4K.
displayName: "4K Pika AI — Generate 4K AI Videos" ... "using Pika AI" ... "API base: `https://mega-api-prod.nemovideo.ai`" ... "H.264, up to 1080x1920"
The skill should clearly disclose the actual provider, model/service relationship, and output resolution limits before users upload files.
User media and prompts may leave the local environment for a provider different from what the skill name suggests.
The skill sends user images or videos to an external cloud backend. That is expected for video generation, but the data boundary is ambiguous because the user-facing name emphasizes Pika while the upload destination is NemoVideo.
**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"` ... **API base**: `https://mega-api-prod.nemovideo.ai`
Only upload media you are comfortable sending to the NemoVideo endpoint, and prefer clearer provider/privacy disclosure before installing.
The agent will use a service credential tied to credits and render sessions.
The skill requires or creates a NemoVideo token and uses it as Bearer authentication. This is purpose-aligned for a cloud rendering service, and the artifact instructs not to expose tokens.
Look for `NEMO_TOKEN` in the environment... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... Include `Authorization: Bearer <NEMO_TOKEN>`
Use a dedicated token if possible, do not paste sensitive credentials into chat, and monitor credits/account activity.
The agent may perform generation/export actions inside the cloud session based on backend responses rather than showing every intermediate instruction.
The skill tells the agent to translate backend GUI-style messages into API actions. This is scoped to the intended video workflow, but users may not see every backend-driven step.
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
Ask the agent to confirm uploads, edits, and exports if you want more control over cloud operations.