v1.0.0

Generator Video

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 12:09 PM.

Analysis

This instruction-only video skill appears purpose-aligned, but using it sends prompts or media to a Nemovideo cloud API and uses a NEMO_TOKEN credential and render credits.

GuidanceBefore using this skill, make sure you are comfortable sending prompts, clips, images, and audio to Nemovideo's cloud service and using a NEMO_TOKEN or anonymous token with credits. Avoid sensitive media, keep tokens private, and deliberately confirm export/download requests because they may create cloud render jobs or consume credits.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

SKILL.md

The backend responds as if there's a visual interface. Map its instructions to API calls

Remote backend responses can influence the agent's next API actions. This is expected for this hosted video workflow, but users should know the provider's responses are operationally important.

User impactThe remote service may guide the agent through video-editing steps after the user starts a generation or edit task.

RecommendationUse the skill only for its intended video tasks and review important actions such as uploads and exports.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

SKILL.md

`/api/upload-video/nemo_agent/me/<sid>` | POST | Upload a file (multipart) or URL. ... `/api/render/proxy/lambda` | POST | Start export.

The skill can upload user files or URLs and start cloud render/export jobs. These actions fit the stated video-generation purpose, but they can expose media and consume service resources or credits.

User impactA prompt, clip, image, or audio file you provide may be sent to the cloud service, and exports may use credits or create render jobs.

RecommendationAvoid uploading sensitive media, and confirm you intend to export before asking for downloads or final renders.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

SKILL.md

Base URL: `https://mega-api-prod.nemovideo.ai`

The skill depends on an external hosted API whose server-side implementation is not included in the artifact. This is normal for a cloud rendering skill, but users must trust that provider.

User impactChanges or issues in the remote service could affect uploads, editing behavior, exports, or privacy handling.

RecommendationUse the skill only if you trust the Nemovideo service and are comfortable with a cloud-rendering dependency.

Cascading Failures

SeverityLowConfidenceHighStatusNote

SKILL.md

Each export job queues on a cloud GPU node ... closing the tab before completion orphans the job.

Render work can continue in the cloud and become disconnected from the local session if interrupted. This is contained to rendering, but it can affect job tracking or credits.

User impactInterrupted exports may leave unfinished or hard-to-track cloud jobs.

RecommendationKeep the session open until exports complete and check credits/status if a render is interrupted.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Free token: Generate a UUID as client identifier, then POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... `data.token` becomes your NEMO_TOKEN (100 credits, 7-day expiry).

The skill creates or uses a bearer token for the provider service. This is disclosed and purpose-aligned, but the token represents account/session authority and credits.

User impactAnyone with access to the token could potentially use the associated Nemovideo session or credits.

RecommendationKeep NEMO_TOKEN private, do not paste it into chats or logs, and use a dedicated token if possible.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

SKILL.md

Save `session_id` from the response. ... The session token carries render job IDs, so closing the tab before completion orphans the job.

The workflow stores and reuses cloud session/render context. This is necessary for video rendering, but prompts, media state, and job IDs may persist in the provider session.

User impactYour project state may remain associated with a cloud session while generation or export is in progress.

RecommendationDo not use sensitive or confidential prompts/media unless you are comfortable with them being processed and retained in the cloud session.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

`/run_sse` | POST | Send a user message. Body includes `app_name`, `session_id`, `new_message`. Stream response with `Accept: text/event-stream`. ... Tool call/result | Process internally, don't forward

The local agent exchanges user messages and backend tool results with the remote `nemo_agent` service. The endpoint is fixed and purpose-aligned, but the boundary between local assistant and remote agent is important for privacy.

User impactUser prompts and editing instructions can be sent to the provider, and internal backend tool activity may not be shown verbatim.

RecommendationAssume video instructions and related project context are shared with the Nemovideo backend.