v1.0.0

Video Creator Ai

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 10:38 PM.

Analysis

This instruction-only skill appears aligned with cloud video creation, but it will send your media and prompts to Nemo Video and use or create a service token.

GuidanceInstall this only if you are comfortable using Nemo Video's cloud backend for your media. Do not upload private, confidential, or regulated images, clips, audio, or prompts unless you trust the provider and understand how the service handles that data.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

SKILL.md

Backend says | You do ... "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow

The remote backend's text can be translated into agent actions, which is useful for the intended GUI-to-API workflow but makes provider responses influential over follow-up actions.

User impactA backend response could cause the agent to take additional video-editing or export steps within the Nemo session.

RecommendationUse the skill for clearly scoped video projects and review the resulting draft or export before relying on it.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`

The skill can upload user-supplied local files or URLs to the cloud backend, which is central to video creation but should only be done for media the user intends to share.

User impactFiles, URLs, and project details may be sent to the remote video service as part of normal operation.

RecommendationOnly provide media and URLs you are comfortable uploading to the Nemo Video backend.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none

The registry metadata does not provide a source or homepage for provenance review, although the skill itself has no installable code or package dependencies.

User impactUsers have limited registry-level provenance information for the publisher or service behind the skill.

RecommendationVerify that you trust the Nemo Video service and the skill publisher before uploading private media.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Look for `NEMO_TOKEN` in the environment... Otherwise: Generate a UUID as client identifier; POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`...

The skill uses or obtains a bearer token for the Nemo Video API. This is expected for a cloud service integration, and the instructions also say not to expose tokens.

User impactThe skill will operate under a Nemo Video token that may identify a free-credit anonymous session or a user-provided credential.

RecommendationUse a dedicated token when possible and avoid sharing the token or logs that contain it.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Keep the returned `session_id` for all operations.

The workflow depends on a remote session and session state, so project context can influence later edits and exports during the same workflow.

User impactMixing unrelated projects or sensitive content in the same session could affect later video operations or expose context to the backend session.

RecommendationUse separate sessions for separate projects, especially when working with sensitive media.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

Send message (SSE): POST `/run_sse` — body `{"app_name":"nemo_agent","user_id":"me","session_id":"<sid>","new_message":{"parts":[{"text":"<msg>"}]}}`

The skill communicates with a remote agent/service named `nemo_agent` using the user's session and message content. This is disclosed and purpose-aligned, but it is still a cross-service data boundary.

User impactPrompts, media references, draft state, and edits may be processed by the remote Nemo agent/service.

RecommendationAvoid sending confidential or regulated media unless you are comfortable with the provider processing it.