Image To Video Honor
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent cloud video-rendering skill, but using it sends chosen media and prompts to NemoVideo and relies on a provider token/session.
Before installing, understand that this skill is a cloud integration: selected images or media and prompts will be sent to NemoVideo, and a provider token/session will be used. Avoid uploading sensitive personal material unless you trust the provider, protect your NEMO_TOKEN, and ask for confirmation before uploads, generation, or export if you want more control.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The token may allow use of the user’s NemoVideo credits or session and should be kept private.
The skill uses a provider bearer token and can obtain an anonymous token if one is absent. That is expected for this cloud service, but it is still account/session authority.
Look for `NEMO_TOKEN` in the environment... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
Use a dedicated provider token if possible, do not share it in chat, and rotate or revoke it if it is exposed.
Photos, video/audio files, prompts, and generated project state may be processed by NemoVideo’s cloud service.
The skill sends user-selected files or URLs to an external cloud backend for processing. This is central to the purpose, but it is a third-party data flow.
**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Only upload media you are comfortable sending to the provider, especially if it contains private events, children, faces, or confidential material.
If the backend gives an unexpected instruction, the agent may take a video-session action such as querying state, editing, or exporting.
The artifact tells the agent to convert some backend natural-language GUI instructions into follow-on API actions. This is purpose-aligned but means provider responses can drive workflow steps.
Backend says | "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
Ask the agent to confirm important actions such as uploads, credit-consuming generation, or final export if you want tighter control.
Users have limited external context for who maintains the skill or the cloud integration instructions.
The registry metadata does not provide a source repository or homepage for independent verification. There is no install-time code, so this is a provenance note rather than a direct code risk.
Source: unknown; Homepage: none
Install only if you are comfortable trusting the registry entry and the NemoVideo API endpoint documented in the skill.