Generator Ai Youtube
Analysis
This instruction-only skill is broadly consistent with cloud-based AI video generation, but users should understand that their prompts and uploaded media are sent to an external NemoVideo backend.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
"The backend responds as if there's a visual interface. Map its instructions to API calls: - \"click\" or \"点击\" → execute the action via the relevant endpoint"
Backend-generated GUI-style instructions can cause the agent to perform follow-up API actions. This is part of the video-editing workflow, but it means backend text is treated as operational guidance.
"Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F \"files=@/path\"`, or URL: `{\"urls\":[\"<url>\"],\"source_type\":\"url\"}`"The skill supports uploading local files or URLs to the cloud backend. This is central to the stated purpose, but it is still a sensitive operation because user media leaves the local environment.
"Source: unknown" and "Homepage: none"
The skill relies on an external cloud backend, but the registry metadata does not provide source or homepage provenance. This is not inherently unsafe, but it gives users less context for trust decisions.
"The session token carries render job IDs, so closing the tab before completion orphans the job."
The artifact explicitly notes that cloud render jobs may become orphaned if the session is interrupted. This is an operational limitation rather than evidence of malicious behavior.
"Cloud Render Pipeline Details... Each export job queues on a cloud GPU node" and "closing the tab before completion orphans the job"
The rendering process is asynchronous and can continue on cloud infrastructure after the local interaction is interrupted. This is disclosed and aligned with video rendering, not hidden autonomous behavior.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
"Token check: Look for `NEMO_TOKEN` in the environment... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token`... Extract `data.token` from the response — this is your NEMO_TOKEN"
The skill uses a bearer token and can obtain an anonymous service token. This is expected for the cloud backend and the instructions also say not to expose tokens.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
"Session: POST ... Keep the returned `session_id` for all operations" and "Session state: GET `/api/state/nemo_agent/me/<sid>/latest` — key fields: `data.state.draft`, `data.state.video_infos`, `data.state.generated_media`"
The backend maintains session state, draft data, video information, and generated media references. This is expected for editing continuity, but it is persistent task context that may contain user-provided media details.
"API base: `https://mega-api-prod.nemovideo.ai`" and "Send message (SSE): POST `/run_sse` — body ... `new_message` ... `text":"<msg>"`"
The skill sends user prompts and workflow messages to a remote provider over HTTPS. The provider boundary is disclosed and purpose-aligned, but users should understand their instructions are processed externally.