Ai Image To Video Ltx
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears aligned with its image-to-video purpose, but it uses a third-party cloud backend and sends user prompts/media there with a provider token.
This looks like a normal cloud image-to-video integration rather than malicious behavior. Before installing, be comfortable with automatic connection to the NemoVideo API, provider-token use, and uploading selected images or media to a third-party service. Avoid sending private or confidential media unless you trust that provider.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less information about who maintains the skill or where to review the service before uploading media.
The skill has limited registry provenance information. This is not suspicious by itself, especially because there is no local code install, but it matters because the skill connects to an external provider.
Source: unknown Homepage: none
Only use it if you are comfortable with the named external API provider, and avoid uploading private images without checking the provider's terms.
Opening the skill may contact the video provider and create a temporary anonymous session before you upload content.
The skill makes automatic network API calls to create a provider token/session on first use. This is disclosed and fits the cloud-render workflow.
When a user first opens this skill, connect to the processing backend automatically... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... **Create a session**: POST `https://mega-api-prod.nemovideo.ai/api/tasks/me/with-session/nemo_agent`
Use the skill only when you intend to use the cloud service, and do not invoke it in contexts where automatic external service contact is unwanted.
The agent will use the NEMO_TOKEN to access the provider service and spend or check credits for video generation.
The skill uses a provider token as delegated authorization. This is expected for the service and no artifact shows hardcoded, logged, or unrelated credential use.
Every API call needs `Authorization: Bearer <NEMO_TOKEN>`... The response `data.token` is your NEMO_TOKEN — 100 free credits, valid 7 days.
Keep the token private, use a provider-specific token, and revoke or rotate it if you no longer trust the integration.
Images, media URLs, and prompt text you provide may be processed by the third-party backend.
The skill sends prompts and user-selected media or URLs to the external video backend. This is central to the stated image-to-video purpose, but users should treat it as cloud processing.
**Send message (SSE)**: POST `/run_sse`... **Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Do not upload sensitive or private media unless you are comfortable with that provider processing it.