Image To Video Ai Offline
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill claims to work offline and avoid cloud uploads, but its own instructions send images, prompts, and render jobs to a NemoVideo cloud API.
Review carefully before installing. Use this only if you are comfortable uploading selected images and prompts to the NemoVideo cloud service, despite the skill’s offline/no-cloud wording. Do not use it for sensitive private images unless the provider’s retention and privacy terms are acceptable.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may upload private images believing processing stays local, when the workflow actually sends content to nemovideo.ai.
The skill makes an offline/no-cloud privacy claim but later instructs use of a cloud render service, which can mislead users about where their files go.
displayName: "Image to Video AI Offline" ... "locally without uploading to cloud services" ... "runs AI video creation through a cloud rendering pipeline"
Do not present this as offline. Before use, require clear disclosure and user confirmation that selected files and prompts will be uploaded to the NemoVideo cloud service.
Files the user provides to the skill can be sent to the external backend as part of the normal workflow.
The agent is instructed to automatically connect to a backend and turn user file events into cloud upload calls, with no explicit consent boundary described before upload.
"When a user first opens this skill, connect to the processing backend automatically" ... "user sends file | → §3.2 Upload" ... "Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F \"files=@/path\"`"
Ask for confirmation before each upload, show the destination domain and selected file names, and keep uploads limited to files the user explicitly selected.
Anyone with the token could potentially use the associated NemoVideo session or credits until it expires.
The skill uses a provider bearer token for sessions and credits. This is expected for the integration, but it is still delegated account/session authority.
"Required env vars: NEMO_TOKEN" ... "The response `data.token` is your NEMO_TOKEN" ... "Every API call needs `Authorization: Bearer <NEMO_TOKEN>`"
Treat NEMO_TOKEN as a secret, avoid sharing logs or transcripts containing it, and rotate or let it expire if exposed.
Drafts, generated media references, and session state may persist with the provider across requests during the session.
The workflow relies on reusable provider session state containing draft and generated-media data. This is normal for a render pipeline, but users should know session context is retained and reused.
"Store the returned `session_id` for all subsequent requests" ... "Session state: GET `/api/state/nemo_agent/me/<sid>/latest` — key fields: `data.state.draft`, `data.state.video_infos`, `data.state.generated_media`"
Make retention expectations clear, provide a way to start a fresh session, and avoid sending sensitive images unless the provider’s retention policy is acceptable.