Free Text Image
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: free-text-image Version: 1.0.0 The skill acts as a functional wrapper for the NemoVideo AI service, allowing the agent to generate images and videos via a cloud API (mega-api-prod.nemovideo.ai). The instructions in SKILL.md guide the agent through standard API procedures such as anonymous token generation, session management, and multipart file uploads. While it requests access to a specific configuration path (~/.config/nemovideo/) and an environment variable (NEMO_TOKEN), these are necessary for the stated purpose, and there is no evidence of data exfiltration, unauthorized system access, or malicious prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may send content or request actions expecting an image-only tool while the workflow also supports video rendering/export.
The artifact describes both image generation and video/MP4 rendering, which is not clearly malicious but could surprise users expecting only static image output.
displayName: "Free Text Image — Generate Images From Text" ... "you get 1080p MP4 files" ... "Cloud Render Pipeline Details"
Clarify expected output type before use, especially before uploading private media or requesting export.
The agent may continue generation/export steps within the NEMO service based on backend responses rather than showing every raw API step to the user.
The skill tells the agent to convert backend UI-style responses into API operations. This fits the remote-rendering purpose, but it means backend responses can drive follow-up service actions.
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
Confirm with the user before uploads, exports, or any action that may consume credits or publish/share a downloadable result.
A provided account token could allow the agent to act in that NEMO account and potentially consume available credits.
The skill uses or creates a bearer token for the NEMO cloud service. This is expected for the integration, and the artifact also says not to expose tokens.
Look for `NEMO_TOKEN` in the environment... Otherwise: ... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... this is your NEMO_TOKEN
Use a dedicated or low-privilege token where possible, and avoid providing a token tied to billing or sensitive account data unless you trust the service.
Text prompts and uploaded media may leave the local environment and be processed by the third-party backend.
Prompts, files, URLs, session identifiers, and generated media workflows are sent to an external backend. This is disclosed and central to cloud rendering.
This skill connects to a cloud processing backend... **API base**: `https://mega-api-prod.nemovideo.ai` ... **Upload**: POST `/api/upload-video/nemo_agent/me/<sid>`
Do not send confidential prompts, private images, or sensitive media unless you are comfortable with the backend provider processing them.
Users have less external context for verifying who operates the backend or how the service handles uploaded content.
The skill is instruction-only and has no local code to inspect, but the registry metadata does not provide a source repository or homepage for independent provenance review.
Source: unknown; Homepage: none
Review the provider and only use the skill for content you are comfortable sending to an unknown-source cloud integration.