Joyland Ai Image To Video
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: joyland-ai-image-to-video Version: 1.0.0 The skill provides a functional integration with the Nemo Video API (mega-api-prod.nemovideo.ai) to convert images into videos. It includes standard API interaction logic, such as session management, file uploads, and polling for render status, while explicitly instructing the agent not to leak sensitive tokens in its responses. No indicators of malicious intent, data exfiltration, or unauthorized execution were identified in the code or instructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Invoking the skill may immediately create or connect a provider session.
The skill directs the agent to make external API calls automatically when first used. This is expected for a cloud-rendering integration, but users should know it may connect before an upload occurs.
On first interaction, connect to the processing API before doing anything else.
Use the skill only when you intend to use the named cloud rendering service.
Anyone with the token or active session could potentially access associated credits, sessions, or render jobs on that service.
The skill uses a bearer token and session identifier for the external service. That is purpose-aligned, but it is delegated account/session authority.
Every API call needs `Authorization: Bearer <NEMO_TOKEN>` ... Save `session_id` from the response.
Keep NEMO_TOKEN private, prefer a dedicated token/account, and do not paste tokens into chats or shared logs.
Images, media URLs, and generation instructions you provide may leave your device for cloud processing.
The workflow sends user files, URLs, and prompt text to an external provider API. This is central to the skill, but it is a sensitive data flow.
Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"` ... Send message (SSE): POST `/run_sse`
Upload only media you are comfortable sharing with the provider and review the provider’s privacy/retention terms if the content is sensitive.
A render job may keep running remotely even if you stop interacting locally.
The skill discloses that cloud render jobs may continue or become detached from the local session after the user closes the tab.
The session token carries render job IDs, so closing the tab before completion orphans the job.
Start renders intentionally and monitor status until completion, especially if credits or account limits matter.
You have limited external information for verifying the publisher or service relationship before sending media to the API.
The registry metadata does not provide a source repository or homepage to independently verify provenance. There are no code files or install scripts, so this is a provenance note rather than a code supply-chain concern.
Source: unknown; Homepage: none
Verify the provider and publisher through trusted channels before using sensitive images or account credentials.