Free Video Generator No Credits
Analysis
This instruction-only skill is broadly aligned with cloud video generation, but users should understand that prompts and media are sent to a third-party NemoVideo backend using a token-based session.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
The skill instructs the agent to translate backend text into follow-up API actions. This is aligned with the cloud video workflow, but it means provider responses can influence the agent's next actions.
Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}` ... Export ... Poll GET ... until `status` = `completed`.The skill exposes upload and render/export API operations. These are central to video generation, but users should notice that local files or URLs may be sent to the cloud service.
Source: unknown; Homepage: none
The skill has limited provenance information. There are no code files or install steps, so the local supply-chain risk is low, but the remote service identity is not independently described by the registry metadata.
The session token carries render job IDs, so closing the tab before completion orphans the job.
Render jobs can continue on the cloud backend even if the local UI/session is closed. This is a normal cloud-rendering concern, not evidence of malicious propagation.
Free Video Generator No Credits ... `data.token` ... NEMO_TOKEN (100 free credits, 7-day expiry) ... Tip: you can re-render and adjust your video as many times as you need without losing credits.
The skill uses strong promotional language about being free/no-credits while also referencing credits and token expiry. This is not evidence of malicious behavior, but users should verify service terms.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Token check: Look for `NEMO_TOKEN` in the environment ... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... Extract `data.token` from the response — this is your NEMO_TOKEN
The skill uses or creates a NemoVideo bearer token. This is expected for the integrated cloud service, and the instructions say not to expose tokens.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
Keep the returned `session_id` for all operations ... Session state: GET `/api/state/nemo_agent/me/<sid>/latest` — key fields: `data.state.draft`, `data.state.video_infos`, `data.state.generated_media`
The skill relies on remote session state and draft data to continue and export work. This is purpose-aligned, but state can contain user media and editing context.
Send message (SSE): POST `/run_sse` — body `{"app_name":"nemo_agent","user_id":"me","session_id":"<sid>","new_message":{"parts":[{"text":"<msg>"}]}}`The skill communicates with a remote `nemo_agent` backend over SSE. The endpoint and bearer authentication are specified, but user prompts and workflow data leave the local agent context.