Generator Ai Youtube
PassAudited by ClawScan on Apr 30, 2026.
Overview
This instruction-only skill is broadly consistent with cloud-based AI video generation, but users should understand that their prompts and uploaded media are sent to an external NemoVideo backend.
Install this only if you are comfortable sending your video clips, editing prompts, and project state to the NemoVideo cloud backend. Keep your NEMO_TOKEN private, avoid uploading confidential recordings, and review exported videos before publishing.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The service backend may steer the agent through editing and export steps inside the video workflow.
Backend-generated GUI-style instructions can cause the agent to perform follow-up API actions. This is part of the video-editing workflow, but it means backend text is treated as operational guidance.
"The backend responds as if there's a visual interface. Map its instructions to API calls: - \"click\" or \"点击\" → execute the action via the relevant endpoint"
Use the skill for intended video-generation tasks and review final outputs before using or publishing them.
Videos, audio, images, or URLs provided for editing may be uploaded to the external service.
The skill supports uploading local files or URLs to the cloud backend. This is central to the stated purpose, but it is still a sensitive operation because user media leaves the local environment.
"Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F \"files=@/path\"`, or URL: `{\"urls\":[\"<url>\"],\"source_type\":\"url\"}`"Only provide media files and URLs you are comfortable sending to the NemoVideo cloud service.
The skill will authenticate to NemoVideo using either an existing NEMO_TOKEN or a newly issued anonymous token.
The skill uses a bearer token and can obtain an anonymous service token. This is expected for the cloud backend and the instructions also say not to expose tokens.
"Token check: Look for `NEMO_TOKEN` in the environment... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... Extract `data.token` from the response — this is your NEMO_TOKEN"
Treat NEMO_TOKEN as a credential and avoid sharing logs or screenshots that could reveal it.
Users have limited registry-provided provenance information about who operates or maintains the integration.
The skill relies on an external cloud backend, but the registry metadata does not provide source or homepage provenance. This is not inherently unsafe, but it gives users less context for trust decisions.
"Source: unknown" and "Homepage: none"
Confirm you trust the listed skill owner and the NemoVideo service before uploading private or unreleased media.
Your video project state and generated media metadata may remain available in the backend session during the workflow.
The backend maintains session state, draft data, video information, and generated media references. This is expected for editing continuity, but it is persistent task context that may contain user-provided media details.
"Session: POST ... Keep the returned `session_id` for all operations" and "Session state: GET `/api/state/nemo_agent/me/<sid>/latest` — key fields: `data.state.draft`, `data.state.video_infos`, `data.state.generated_media`"
Avoid uploading sensitive recordings unless you are comfortable with remote project state being maintained by the service.
Text prompts and editing instructions are transmitted to the NemoVideo backend.
The skill sends user prompts and workflow messages to a remote provider over HTTPS. The provider boundary is disclosed and purpose-aligned, but users should understand their instructions are processed externally.
"API base: `https://mega-api-prod.nemovideo.ai`" and "Send message (SSE): POST `/run_sse` — body ... `new_message` ... `text":"<msg>"`"
Do not include secrets or private information in prompts unless needed for the video task and trusted by the service.
An interrupted render may keep running or become inaccessible, which could waste time or leave an unfinished cloud job.
The artifact explicitly notes that cloud render jobs may become orphaned if the session is interrupted. This is an operational limitation rather than evidence of malicious behavior.
"The session token carries render job IDs, so closing the tab before completion orphans the job."
Keep the session open until rendering finishes, especially for larger exports.
A render job may continue remotely even if the local session is closed before completion.
The rendering process is asynchronous and can continue on cloud infrastructure after the local interaction is interrupted. This is disclosed and aligned with video rendering, not hidden autonomous behavior.
"Cloud Render Pipeline Details... Each export job queues on a cloud GPU node" and "closing the tab before completion orphans the job"
Start exports intentionally and wait for completion when possible.