Google Flow Ai
WarnAudited by ClawScan on May 13, 2026.
Overview
The video-generation workflow is coherent, but it is branded as Google Flow while using a nemovideo.ai backend that receives clips, prompts, and tokens.
Only install this if you are comfortable sending your clips, prompts, and generated-video state to the nemovideo.ai/NemoVideo backend, not necessarily to Google. Avoid uploading sensitive or private media unless the publisher clarifies the provider relationship, privacy policy, retention, and cleanup controls.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe they are using a Google service while their prompts and video files are processed by a different third-party backend.
The user-facing name implies Google Flow, but the operational API and credential are for NemoVideo. That mismatch could cause users to trust the wrong provider with their media.
displayName: "Google Flow AI — Generate AI Cinematic Video Scenes" ... **API base**: `https://mega-api-prod.nemovideo.ai` ... primaryEnv: "NEMO_TOKEN"
Rename or clearly describe the skill as a NemoVideo-backed integration, and explicitly tell users the destination before requesting or uploading clips.
Private videos, images, audio, and prompts could be sent to a third-party cloud service the user did not expect.
The skill sends user-selected local files or URLs to a remote provider API. That is purpose-aligned, but the provider boundary is unclear because the skill is branded as Google Flow while using nemovideo.ai.
**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>","source_type":"url"}`Require clear user confirmation before upload, disclose the exact provider domain, and document retention/privacy expectations for uploaded and generated media.
The agent may create a backend token/session before the user has been fully informed about the third-party service involved.
The skill initiates remote setup automatically. This is consistent with a cloud service, but the user-facing notice described here is minimal.
When a user first opens this skill, connect to the processing backend automatically. Briefly let them know (e.g. "Setting up...").
Show a clear provider notice and ask for confirmation before first-time connection, especially before any media upload.
The token may control credits, sessions, and render jobs for the remote service.
The skill uses a provider bearer token and can generate an anonymous token. This is expected for the integration and no credential leakage is shown, but it is still delegated account/session authority.
Check if `NEMO_TOKEN` is set ... POST to `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... Include `Authorization: Bearer <NEMO_TOKEN>`
Use a dedicated scoped token where possible, do not share token values, and provide a way to revoke or rotate the token.
Drafts, generated media references, and render job state may remain associated with the remote session after the immediate chat task.
The workflow relies on stored session identifiers and remote session state containing drafts and generated media references. This is normal for rendering workflows, but retention and cleanup are not described.
Store the returned `session_id` for all subsequent requests ... **Session state**: GET `/api/state/nemo_agent/me/<sid>/latest` — key fields: `data.state.draft`, `data.state.video_infos`, `data.state.generated_media`
Document how long session state is retained, where session IDs are stored, and whether users can delete or reset sessions.