v1.0.0

Music To Video Ai

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 10:14 PM.

Analysis

This instruction-only skill appears purpose-aligned, but it automatically uses the NemoVideo cloud service, a token, and remote rendering for user media.

GuidanceThis skill is reasonable for cloud-based music-to-video conversion, but only install and use it if you are comfortable sending your media and prompts to mega-api-prod.nemovideo.ai and using a NemoVideo token or anonymous service credits. Avoid uploading confidential or unreleased material unless you trust the provider.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceMediumStatusNote

SKILL.md

Everything else (generate, edit, add BGM…) | → §3.1 SSE

Broad editing and generation requests are delegated to the remote SSE backend, whose responses are then used to guide the workflow. This is purpose-aligned for cloud video editing but means external service responses influence agent behavior.

User impactThe remote service can shape how the agent proceeds with edits and generation after the user gives a request.

RecommendationUse the skill only for media workflows where you are comfortable letting the NemoVideo backend guide the editing process.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

/api/upload-video/nemo_agent/me/<sid> | POST | Upload a file (multipart) or URL.

The skill exposes upload, SSE editing, credit checking, state fetching, and render-export API operations. These actions are expected for cloud video generation, but they can send user files and start render jobs.

User impactUser-selected files may be uploaded and export jobs may consume service credits.

RecommendationConfirm the media and export request before using the upload or render features, especially for large or private files.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none

The registry metadata does not provide a source repository or homepage, while the skill relies on a remote backend. This is a provenance transparency gap, though there is no install-time code or hidden dependency in the provided artifacts.

User impactUsers have limited independent information about the skill publisher or backend provenance before sending media to the service.

RecommendationReview the service domain and provider trustworthiness before uploading valuable or private media.

Cascading Failures

SeverityLowConfidenceHighStatusNote

SKILL.md

closing the tab before completion orphans the job.

Render jobs are queued on remote GPU nodes and can become orphaned if the session is closed. This is disclosed, but it is a failure mode users should notice because it can leave backend work in progress.

User impactAn interrupted export may continue or become detached from the user session, potentially wasting time or credits.

RecommendationKeep the session open until exports finish, and check job state or credits if an export is interrupted.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Every API call needs Authorization: Bearer <NEMO_TOKEN>

The skill requires a NemoVideo bearer token and can also obtain an anonymous token for free credits. This is expected for the integrated service but gives the skill access to that service account or credit balance.

User impactThe token authorizes actions against the NemoVideo API, including session creation, uploads, state checks, and exports.

RecommendationUse a token intended for this service, avoid sharing it elsewhere, and revoke or rotate it if you no longer trust the skill or provider.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Store the returned session_id for all subsequent requests.

The skill reuses a server-side session identifier and fetches latest timeline state across requests. This is expected for an editing session but creates persistent task context tied to the token/session.

User impactProject state and render context can persist across requests within the backend session.

RecommendationAvoid mixing unrelated or sensitive projects in the same session, and treat the session as containing your uploaded media and editing history.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

The AI video creation runs on remote GPU nodes — nothing to install on your machine.

The skill sends media and prompts to an external cloud rendering service. This is clearly aligned with the stated purpose, but users should understand that files are processed outside the local environment.

User impactUploaded audio, video, images, prompts, and related project state may be processed by the NemoVideo backend.

RecommendationDo not upload confidential, unreleased, or rights-sensitive media unless you trust the external provider and its terms.