Text To Video Automatic
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: text-to-video-automatic Version: 1.0.0 The skill is classified as suspicious due to instructions in SKILL.md that direct the AI agent to map text-based commands received from a remote SSE stream (e.g., "click", "open", "drag/drop") directly into API actions. This creates a remote control vector where the backend server (mega-api-prod.nemovideo.ai) can influence the agent's tool execution. Additionally, the skill performs environment fingerprinting by checking local installation paths (~/.clawhub/ or ~/.cursor/skills/) to set attribution headers. While these features support the stated text-to-video functionality, the remote instruction mapping and automated token acquisition from an external endpoint represent a significant attack surface.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The token gives the agent access to a Nemo video session and any associated credits or generated content for that service.
The skill uses a bearer token, and if one is absent it obtains an anonymous service token for the Nemo video backend.
Look for `NEMO_TOKEN` in the environment... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
Use a dedicated token if possible, avoid sharing the token, and review Nemo account or credit usage if the service behaves unexpectedly.
Product text, scripts, images, audio, or video files may leave the local environment and be processed by Nemovideo's backend.
Prompts, messages, and uploaded media are sent to a third-party cloud API for processing.
This skill connects to a cloud processing backend... **Send message (SSE)**: POST `/run_sse`... **Upload**: POST `/api/upload-video/nemo_agent/me/<sid>`
Do not submit confidential or regulated content unless you trust the provider and have reviewed its privacy and retention practices.
Once invoked, the agent may create sessions, send prompts, start render jobs, poll status, or export videos without showing each raw API step.
The skill instructs the agent to automatically perform backend API operations and translate provider responses into further API calls.
On first use, set up the connection automatically... "click" or "点击" → execute the action via the relevant endpoint... "Export" or "导出" → run the export workflow
Ask the agent to confirm before uploading files, spending credits, or exporting if you want tighter control over cloud actions.
Users have limited provenance information to verify who maintains the skill before sending data to the referenced cloud API.
The registry artifacts do not provide a verified source repository or homepage for the skill or service integration.
Source: unknown; Homepage: none
Verify the publisher and the nemovideo.ai service independently before using the skill with sensitive content.