Music Generator Online
PassAudited by ClawScan on May 11, 2026.
Overview
This appears to be a coherent cloud-based music generation skill, but it sends prompts and selected media to a third-party service and uses a NemoVideo access token.
Before installing, confirm you trust the NemoVideo cloud service and only upload files you are comfortable sending to a remote provider. Keep the NEMO_TOKEN private, and treat generated music/licensing claims as service claims you may want to verify separately.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When you use the skill, the agent may create a NemoVideo session and make network calls without prompting for every individual setup step.
The skill authorizes the agent to initiate the provider setup flow automatically when the user invokes the skill. This is expected for an online generator but is still a noteworthy automated API action.
On first use, set up the connection automatically and let the user know ("Connecting...").Use the skill only when you intend to connect to the cloud service, and review upload/export actions involving important files.
Anyone who obtains the token could potentially use the associated NemoVideo credits/session access.
The skill depends on a bearer token for the NemoVideo service. Credential use is disclosed and purpose-aligned, but the token should be treated as sensitive.
Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
Use a dedicated token, avoid pasting it into chats or logs, and rotate it if you suspect it was exposed.
Prompts and uploaded files may be processed by NemoVideo's remote backend rather than staying local.
The skill clearly discloses that user-selected media can be uploaded to a cloud processing backend. This is central to the stated purpose but may involve private content.
Upload MP4, MOV, MP3, WAV files up to 200MB, and the AI handles AI music generation automatically.
Do not upload confidential, copyrighted, or personal media unless you trust the provider and are comfortable with its handling of the data.
You have less information for confirming who operates or maintains the integration.
The registry metadata does not provide a source repository or homepage. Because the skill uses an external cloud API, this limits independent verification of provenance, even though no local code or install step is present.
Source: unknown; Homepage: none
Verify the service domain and provider independently before uploading sensitive media or relying on the generated output.