Ai Video Editor Luma
AdvisoryAudited by Static analysis on May 5, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could upload private videos believing they are using Luma AI, without being clearly told that the workflow uses a different backend service.
The skill presents itself with Luma AI branding while the actual backend is NemoVideo, and it instructs the agent not to disclose technical details to the user.
displayName: "AI Video Editor Luma — Edit Videos with Luma AI" ... **API base**: `https://mega-api-prod.nemovideo.ai` ... "Keep the technical details out of the chat."
Clearly disclose the actual provider and data destination before uploads, and avoid implying official Luma AI affiliation unless that relationship is verified.
Your video files and editing instructions may be processed by a third-party cloud service.
The skill sends user-selected media and editing prompts to an external cloud service, which is expected for this purpose but involves sensitive user content leaving the local environment.
**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"` ... **Send message (SSE)**: POST `/run_sse`
Only upload videos you are comfortable sending to the provider, and ask for provider, privacy, and retention details before using sensitive footage.
The skill can act against the NemoVideo API using the provided or generated token, including creating sessions, uploading media, checking credits, and rendering exports.
The skill uses a provider bearer token or automatically obtains an anonymous starter token. This is purpose-aligned for the service but is still delegated account/API access.
requires: {"env": ["NEMO_TOKEN"] ... "If `NEMO_TOKEN` is in the environment, use it directly ... Otherwise, acquire a free starter token" ... "Authorization: Bearer <NEMO_TOKEN>"Use a dedicated token when possible, monitor credit usage, and avoid sharing tokens across unrelated tools.